CVE-2022-25295
MEDIUMgophish < 0.12.0 - Open Redirect via Next Query Parameter
Title source: llmDescription
This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parse(r.FormValue("next")) to extract path and eventually redirect user to a relative URL, but if next parameter starts with multiple backslashes like \\\\\\example.com, browser will redirect user to http://example.com.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOPHISHGOPHISH-2404177
Patch, Third Party Advisory x_refsource_misc
https://github.com/gophish/gophish/pull/2262
Scores
CVSS v3
5.4
EPSS
0.0053
EPSS Percentile
40.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Details
CWE
CWE-601
Status
published
Products (2)
getgophish/gophish
< 0.12.0
gophish/gophish
0 - 0.12.0Go
Published
Sep 11, 2022
Tracked Since
Feb 18, 2026