216.73.217.176

CVE-2025-54066

· Published 17/07/2025 15:15 · Modified 17/07/2025 21:15

Labels: CVE-2025-54066 2025-07-17CVE-2025-54066CWE-601[email protected]

Essential information

Published
17/07/2025 15:15
Modified
17/07/2025 21:15
Author
Creator
CVSS
4.7 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

CVSS metrics

Description

DiracX-Web is a web application that provides an interface to interact with the DiracX services. Prior to version 0.1.0-a8, an attacker can forge a request that they can pass to redirect an authenticated user to another arbitrary website. In the login page, DiracX-Web has a `redirect` field which is the location where the server will redirect the user. This URI is not verified, and can be an arbitrary URI. Paired with a parameter pollution, an attacker can hide their malicious URI. This could be used for phishing, and extract new data (such as redirecting to a new "log in" page, and asking another time credentials). Version 0.1.0-a8 fixes this vulnerability.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
diracx / diracx-web cpe:2.3:a:diracx:diracx-web:<0.1.0-a8:*:*:*:*:*:*:*

References