Miggo Logo
Miggo Vulnerability Database
CVE-2019-11016

CVE-2019-11016:
Elgg open redirect

6.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-11016
GHSA ID
GHSA-r6h7-846c-8m78
EPSS Score
0.47936%
CWE
CWE-601
Published
5/14/2022
Updated
9/28/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
elgg/elggcomposer< 1.12.181.12.18
elgg/elggcomposer>= 2.3.0, < 2.3.112.3.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key evidence comes from the 2.3.11 patch notes mentioning 'more consistency in resource gatekeepers' (commit 60a045a3). Open redirects typically occur when redirect parameters (e.g., return_to, next) are not properly validated. The gatekeeper component likely handled access control checks and redirects, but allowed arbitrary URLs in redirect parameters. While the exact function isn't specified in available data, the gatekeeper's role in resource access and the patch's focus on consistency strongly suggest this component contained the vulnerable logic. Confidence is medium due to reliance on patch descriptions without direct code analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*l** ***or* *.**.** *n* *.*.x ***or* *.*.** **s *n op*n r**ir**t.

Reasoning

T** k*y *vi**n** *om*s *rom t** *.*.** p*t** not*s m*ntionin* 'mor* *onsist*n*y in r*sour** **t*k**p*rs' (*ommit ********). Op*n r**ir**ts typi**lly o**ur w**n r**ir**t p*r*m*t*rs (*.*., r*turn_to, n*xt) *r* not prop*rly v*li**t**. T** **t*k**p*r *om