6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-41965

GHSA ID

GHSA-r3qr-vwvg-43f7

EPSS Score

0.1883%

CWE

CWE-601

Published

11/30/2022

Updated

1/28/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-41965

CVE-2022-41965: Authenticated OpenRedirect Vulnerability

Description Prior to Opencast 12.5 Opencast's Paella authentication page could be used to redirect to an arbitrary URL for authenticated users.

Impact The vulnerability allows attackers to redirect users to sites outside of your Opencast install, potentially facilitating phishing attacks or other security issues.

Patches This issue is fixed in Opencast 12.5 and newer

References Patch fixing the issue

If you have any questions or comments about this advisory: Open an issue in our issue tracker Email us at security@opencast.org

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-41965

CVE-2022-41965:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-41965

GHSA ID

GHSA-r3qr-vwvg-43f7

EPSS Score

0.1883%

CWE

CWE-601

Published

11/30/2022

Updated

1/28/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.opencastproject:opencast-common	maven	< 12.5	12.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the auth.html's JavaScript code that handled redirect parameters. The pre-patch code (shown in the diff) lacked hostname validation when processing the 'redirect' parameter, using it directly in window.location.href. The patch added critical validation by comparing window.location.hostname with redirect URL's hostname. The absence of this validation in vulnerable versions allowed arbitrary redirects, matching the CWE-601 description of open redirect vulnerabilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-41965: Authenticated OpenRedirect Vulnerability

CVE-2022-41965:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.1

6.1

CVE-2022-41965: Authenticated OpenRedirect Vulnerability

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI