CVE-2021-24288: AcyMailing < 7.5.0 - Unauthenticated Open Redirect
First published: Mon May 17 2021(Updated: )
When subscribing using AcyMailing, the 'redirect' parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Phlymail | <7.5.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2021-24288.
What is the title of this vulnerability?
The title of this vulnerability is 'When subscribing using AcyMailing the redirect parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim.'
How does this vulnerability affect AcyMailing?
This vulnerability affects AcyMailing when subscribing.
What is the severity of CVE-2021-24288?
The severity of CVE-2021-24288 is medium with a CVSS score of 6.1.
How can this vulnerability be fixed?
To fix this vulnerability, users should update AcyMailing to version 7.5.1 or later and ensure that input validation and sanitization are properly implemented.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/title
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/severity
- agent/event
- agent/first-publish-date
- agent/description
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/acymailing
- canonical/phlymail