Eventum 3.3.4 - Open Redirection

Advisory ID: RO-18-009
Severity: Medium
Vendor: Eventum
Product: Eventum Issue Tracker
Version: 3.3.4

Overview #

An Open Redirection vulnerability exists in Eventum Issue Tracker version 3.3.4. The vulnerability allows remote attackers to redirect users to arbitrary external websites.

Vulnerability Details #

Affected Versions: 3.3.4 and earlier

Root Cause: Insufficient validation of redirect URLs allows attackers to redirect users to malicious websites.

Exploitation Requirements #

  • No authentication required
  • Victim must click a crafted link

Impact #

Remote attackers can exploit this vulnerability to:

  • Redirect users to phishing sites
  • Steal user credentials via fake login pages
  • Distribute malware

Proof of Concept #

Details available upon request.

Solution #

Upgrade to a patched version of Eventum that includes proper URL validation.

References #

  • Vendor notification sent

Timeline:

  • [2018-01-01] - Discovered

Credits: Omar Kurt