Publish GHSA-hfj7-542q-8fvv

advisory-database[bot] · advisory-database[bot] · commit f3774f6d4b67 · 2025-07-17T19:42:18.000Z
diff --git a/advisories/github-reviewed/2025/07/GHSA-hfj7-542q-8fvv/GHSA-hfj7-542q-8fvv.json b/advisories/github-reviewed/2025/07/GHSA-hfj7-542q-8fvv/GHSA-hfj7-542q-8fvv.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hfj7-542q-8fvv",
+  "modified": "2025-07-17T19:40:59Z",
+  "published": "2025-07-17T19:40:59Z",
+  "aliases": [
+    "CVE-2025-54066"
+  ],
+  "summary": "DiracX-Web is vulnerable to attack through an Open Redirect on its login page",
+  "details": "### Summary\n\nAn attacker can forge a request to redirect an authenticated user to any arbitrary website.\n\n### Details\n\nOn the login page, we have a `redirect` field which is the location where the server will redirect the user. This URI is not verified, and can be an arbitrary URI.\n\nPaired with a parameter pollution, we can hide our malicious URI (ex: `https://dns.com/?param1=im_hidden_if_theres_lot_of_args?param1=bbb`).\n\n### PoC\n\nhttps://diracx-cert.app.cern.ch/auth?redirect=https://ipcim.com/en/where/?dsdsd=qsqsfsjfnsfniizaeiaapzqlalkqkaizqqijsjaopmqmxna?redirect=https://diracx-cert-app.cern.ch/auth\n\nThis POC can leak user's position.\n\n### Impact\n\nThis could be used for phishing and extracting new data (such as redirecting to a new \"log in\" page, and asking users to reenter credentials).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@dirac-grid/diracx-web-components"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.1.0-a8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/DIRACGrid/diracx-web/security/advisories/GHSA-hfj7-542q-8fvv"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54066"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/DIRACGrid/diracx-web/commit/eba3b7bc4f9d394074215986e6d3c15b546b25d5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/DIRACGrid/diracx-web"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-601"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-07-17T19:40:59Z",
+    "nvd_published_at": "2025-07-17T15:15:27Z"
+  }
+}
