6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-w228-rfpx-fhm4

GHSA-w228-rfpx-fhm4: cg vulnerable to an Open Redirect Vulnerability on Referer Header

Summary

A vulnerability has been discovered in the handling of the referrer header in the application, which could allow an attacker to conduct open redirects. The issue arises from improper validation of the referrer header in certain conditions. By manipulating the referrer header, an attacker could potentially redirect users to malicious websites, phishing pages, or other dangerous destinations.

PoC

If you change the referer header, you will be redirected to that domain without verifying.

https://github.com/Clinical-Genomics/cg/blob/master/cg/server/invoices/views.py#L173

Impact

An attacker exploiting this vulnerability could trick users into visiting malicious websites or disclose sensitive information by redirecting them to unintended destinations. This could lead to various attacks including phishing, malware distribution, or further exploitation of other vulnerabilities.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-w228-rfpx-fhm4

GHSA-w228-rfpx-fhm4:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
cg	pip	< 60.2.12	60.2.12

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from line 173 in views.py where redirect(request.referrer) was called. The Referer header is user-controlled input and was not validated/sanitized before being used for redirection. The patched version replaced this with a controlled URL from undo_invoice(), confirming the vulnerability was in the original redirect() call using request.referrer. The invoice view function is the clear entry point for this exploit.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-w228-rfpx-fhm4: cg vulnerable to an Open Redirect Vulnerability on Referer Header

Summary

PoC

Impact

GHSA-w228-rfpx-fhm4:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

6.1

6.1

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

GHSA-w228-rfpx-fhm4: cg vulnerable to an Open Redirect Vulnerability on Referer Header

Summary

PoC

Impact

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI