There exists an
Open URL redirect vulnerability in the 1.x.x branch of Orange Forum. An attacker can send an Orange Forum user a crafted link targeting the login page of Orange Forum, with a
next query parameter of the form
//evil.com. Having clicked the link and authenticated, the targeted user will then be redirected to
After discussion with the maintainer they have discontinued the 1.x.x branch and do not intend to initiate a fix for this branch. If you are using 1.x.x please update to the 2.x branch.
Orange Forum (https://github.com/s-gv/orangeforum)
Versions from the 1.x.x branch are affected (including the latest release, 1.4.0),
master is not.
The login handler tries to verify that the URL to be redirected to after a successful login is a local URL. It does so by checking whether the URL starts with a slash, which is insufficient: URLs starting with two slashes are non-local.
Information Disclosure and potential clientside exploitation.
Coordinated Disclosure Timeline
- 05/29/2020: report sent to maintainer
- 06/16/2020: report acknowledged, maintainer says branch is no longer maintained and advises update to 2.x
- 08/31/2020: disclosure deadline expired
You can contact the GHSL team at
firstname.lastname@example.org, please include
GHSL-2020-126 in any communication regarding this issue.