Miggo Logo
Miggo Vulnerability Database
CVE-2020-13486

CVE-2020-13486:
Knock Knock plugin Open redirection vulnerability

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-13486
GHSA ID
GHSA-m69r-4h68-xq7j
EPSS Score
0.42476%
CWE
CWE-601
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
verbb/knock-knockcomposer< 1.2.81.2.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The changelog explicitly states that version 1.2.8 added validation for the redirect parameter to prevent malicious redirection. This indicates the login handler previously accepted unvalidated redirect URLs from user input. The vulnerability pattern matches CWE-601 (Open Redirect) where untrusted URLs are used for redirection. While exact function names aren't visible in provided resources, Craft CMS's MVC architecture strongly suggests the vulnerability existed in the controller handling login redirection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Kno*k Kno*k plu*in ***or* *.*.* *or *r**t *MS *llows m*li*ious r**ir**tion.

Reasoning

T** ***n**lo* *xpli*itly st*t*s t**t v*rsion *.*.* ***** v*li**tion *or t** r**ir**t p*r*m*t*r to pr*v*nt m*li*ious r**ir**tion. T*is in*i**t*s t** lo*in **n*l*r pr*viously ****pt** unv*li**t** r**ir**t URLs *rom us*r input. T** vuln*r**ility p*tt*rn