Critical Vulnerability Information Vulnerability Overview CVE ID: CVE-2022-41715 Severity: High Discoverer: CyberDucky301 Affected Versions Affected Versions: <= 0.08.0 Fixed Version: 0.09.0 Vulnerability Description 1. Open Redirect in Login API - CVSS Score: 7.4 (High) - Location: - Impact: Man-in-the-middle attacks, credential theft, malware distribution Quick Summary Vulnerability: Open redirect in login API Cause: The login page accepts the parameter without validation, allowing attackers to redirect authorized users to arbitrary external sites. Example URL Recommended Actions 1. Immediate Fix: - Enhance protection against SSRF and man-in-the-middle attacks. - Minimize attack surface exposure. 2. Additional Hardening: - Add CSP headers to restrict sensitive operations. - Change DELETE operations from GET to POST. - Implement rate limiting to prevent brute force attacks. Quick Fix Code Test Environment Version: Latest main branch (as of January 2023) Environment: Development instance Production Systems: Not affected or patched Fix Method Fixed by ignoring the host portion of the redirect URL provided in login, and using only the relative URL portion. More details in #713.