You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An attacker can use this vulnerability to redirect users to other malicious websites, which can be used for phishing and similar attacks
by which the attacker can easily harvest the credentials of your customers which is very dangerous and critical has a direct business impact as customers account can be on risk.
DhruvHax Reporter
Hello Team
I'm
compressed.mp4
Dhruv a security researcher I would like to report an issue on your website .
Summary
Open Redirect Vulnerability On Login Page leads to malicious website after successful login
URL : https://gufum.leantime.io/auth/login?redirect=%2Fgoalcanvas%2FshowCanvas
Details
The website is allowing redirection to www.evil.com after a successful login .
Parameter login?redirect =
URL with payload URL : https://gufum.leantime.io/auth/[email protected]
The above URL leads to open redirect
Payload : @evil.com
Steps To Reproduce:
1.Take this URL: https://gufum.leantime.io/auth/login?redirect=%2Fgoalcanvas%2FshowCanvas
2.Change to whatever URL you want to redirect to.
3. Login with your credentials
4.You will be redirected to that site (evil.com)
PoC
A video is attached for POC
Impact
An attacker can use this vulnerability to redirect users to other malicious websites, which can be used for phishing and similar attacks
by which the attacker can easily harvest the credentials of your customers which is very dangerous and critical has a direct business impact as customers account can be on risk.
Thank you
Dhruv Gupta