CVE-2021-21354
HIGHPollbot < 1.4.4 - Open Redirect via URL Path Injection
Title source: llmDescription
Pollbot is open source software which "frees its human masters from the toilsome task of polling for the state of things during the Firefox release process." In Pollbot before version 1.4.4 there is an open redirection vulnerability in the path of "https://pollbot.services.mozilla.com/". An attacker can redirect anyone to malicious sites. To Reproduce type in this URL: "https://pollbot.services.mozilla.com//evil.com/". Affected versions will redirect to that website when you inject a payload like "//evil.com/". This is fixed in version 1.4.4.
References (6)
Core 6
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/mozilla/PollBot/security/advisories/GHSA-jhgx-wmq8-jc24
Issue Tracking, Permissions Required, Third Party Advisory x_refsource_misc
https://bugzilla.mozilla.org/show_bug.cgi?id=1694684
Third Party Advisory x_refsource_misc
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
Third Party Advisory x_refsource_misc
https://github.com/mozilla/PollBot/releases/tag/v1.4.4
Patch, Third Party Advisory x_refsource_misc
https://github.com/mozilla/PollBot/pull/333
Patch, Third Party Advisory x_refsource_misc
https://github.com/mozilla/PollBot/commit/6db74a4fcbff258c7cdf51a6ff0724fc10c485e5
Scores
CVSS v3
7.4
EPSS
0.0084
EPSS Percentile
75.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Details
CWE
CWE-601
Status
published
Products (1)
mozilla/pollbot
< 1.4.4
Published
Mar 08, 2021
Tracked Since
Feb 18, 2026