CVE-2021-28125
Apache Superset Open Redirect
Severity Score
6.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link.
Apache Superset versiones hasta 1.0.1 incluyéndola, permitió la creación de una URL externa que podría ser maliciosa. Al no comprobar la entrada del usuario para los redireccionamientos abiertos, la funcionalidad URL shortener permitiría a un usuario malicioso crear una URL corta para un panel que podría convencer al usuario de que haga clic en el enlace
*Credits:
Found and reported by Gianluca Veltri, Dario Castrogiovanni
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-03-10 CVE Reserved
- 2021-04-27 CVE Published
- 2024-03-19 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CAPEC
References (2)
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|