id: CVE-2011-5252 info: name: Orchard 'ReturnUrl' Parameter URI - Open Redirect author: ctflearner severity: medium description: | Open redirect vulnerability in Users/Account/LogOff in Orchard 1.0.x before 1.0.21, 1.1.x before 1.1.31, 1.2.x before 1.2.42, and 1.3.x before 1.3.10 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the ReturnUrl parameter. remediation: | Validate and sanitize user input for the 'ReturnUrl' parameter to prevent open redirect vulnerabilities. reference: - https://www.exploit-db.com/exploits/36493 - https://nvd.nist.gov/vuln/detail/CVE-2011-5252 - https://www.invicti.com/web-applications-advisories/open-redirection-vulnerability-in-orchard/ - https://exchange.xforce.ibmcloud.com/vulnerabilities/72110 - http://orchard.codeplex.com/discussions/283667 classification: cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N cvss-score: 5.8 cve-id: CVE-2011-5252 cwe-id: CWE-20 epss-score: 0.02747 epss-percentile: 0.8945 cpe: cpe:2.3:a:orchardproject:orchard:1.0:*:*:*:*:*:*:* metadata: max-request: 1 vendor: orchardproject product: orchard tags: cve,cve2011,redirect,orchard http: - method: GET path: - "{{BaseURL}}/orchard/Users/Account/LogOff?ReturnUrl=%2f%2fhttp://interact.sh%3f" matchers: - type: regex part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:http?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' # digest: 4a0a004730450220659e1f80e6ea8f8d6c493df35cfc2402cdb5ab85f31b79e7ea56b90344c11569022100f4f7552ca244ef37917e28d982737ebe47bd837ac437f29e2bc040bc5babef0c:922c64590222798bb761d5b6d8e72950