GHSA-2qjj-h6wp-c7h7MediumCVSS 5.4
Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers
🔗 CVE IDs covered (1)
📋 Description
### Impact
Some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks.
### Patches
The issue is resolved in versions 17.4.0 and 13.14.0.
### Workarounds
If users cannot upgrade immediately, they can mitigate the issue in their own site by ensuring every Razor form that posts to `UmbLoginStatusController`, `UmbProfileController` or `UmbRegisterController` passes a concrete, trusted `RedirectUrl` into `Html.BeginUmbracoForm's` route values.
For example:
```cshtml
@using (Html.BeginUmbracoForm<UmbLoginStatusController>(
"HandleLogout",
new { RedirectUrl = Model.Url() }))
{
<button type="submit">Log out</button>
}
```
### Resources
https://github.com/umbraco/Umbraco-CMS/pull/22565
https://github.com/umbraco/Umbraco-CMS/pull/22561
🎯 Affected products2
- nuget/Umbraco.Cms:< 13.14.0
- nuget/Umbraco.Cms:>= 17.3.0-rc, < 17.4.0