id: CVE-2011-5252 info: name: Orchard 'ReturnUrl' Parameter URI - Open Redirect author: ctflearner severity: medium description: | Open redirect vulnerability in Users/Account/LogOff in Orchard 1.0.x before 1.0.21, 1.1.x before 1.1.31, 1.2.x before 1.2.42, and 1.3.x before 1.3.10 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the ReturnUrl parameter. impact: | An attacker can craft a malicious URL to redirect users to a malicious website, leading to phishing attacks. remediation: | Validate and sanitize user input for the 'ReturnUrl' parameter to prevent open redirect vulnerabilities. reference: - https://www.exploit-db.com/exploits/36493 - https://nvd.nist.gov/vuln/detail/CVE-2011-5252 - https://www.invicti.com/web-applications-advisories/open-redirection-vulnerability-in-orchard/ - https://exchange.xforce.ibmcloud.com/vulnerabilities/72110 - http://orchard.codeplex.com/discussions/283667 classification: cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N cvss-score: 5.8 cve-id: CVE-2011-5252 cwe-id: CWE-20 epss-score: 0.02747 epss-percentile: 0.89537 cpe: cpe:2.3:a:orchardproject:orchard:1.0:*:*:*:*:*:*:* metadata: max-request: 1 vendor: orchardproject product: orchard tags: cve,cve2011,redirect,orchard,orchardproject http: - method: GET path: - "{{BaseURL}}/orchard/Users/Account/LogOff?ReturnUrl=%2f%2fhttp://interact.sh%3f" matchers: - type: regex part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:http?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' # digest: 4a0a0047304502202d673b4b7cc1d784294304ab423ab567469818c5629174ef4db522882f1efa02022100fc9c5c6b6d14ff859b62ad27206a46a7e2b4cc06d3e6cced6cb311f03371b6a1:922c64590222798bb761d5b6d8e72950