Elgg Open-Source Framework Hit by Serious Redirect Vulnerability
Cybersecurity experts, including Nicolas Grégoire, have discovered a significant vulnerability in Elgg, an open-source web application framework. The issue, an open redirect vulnerability, could be exploited for phishing or cross-site scripting (XSS) attacks. Affected versions of Elgg require urgent patching.
The Elgg framework, used for building socially aware web applications, was found to use the referrer header for redirects. This feature can be manipulated by attackers to redirect users to malicious sites, facilitating phishing or XSS attacks. The vulnerability, tracked as CVE-2019-11016, allows an attacker to trigger an open redirect by entering a specific path.
Qualys Web Application Scanning (WAS) has enhanced its reporting to identify such open redirect vulnerabilities. Organizations using Elgg versions before 1.12.18 or 2.3.x before 2.3.11 are advised to upgrade immediately to remediate this issue. The OWASP Unvalidated Redirects and Forwards Prevention Cheat Sheet provides general guidance on mitigating open redirect vulnerabilities.
In summary, Elgg-based web applications are vulnerable to open redirect attacks, which can be exploited for phishing or XSS attacks. Organizations are urged to upgrade to patched versions of Elgg (1.12.18 or later, or 2.3.11 or later) to protect against this issue. For further guidance, refer to the OWASP cheat sheet.
Read also:
- China's Foothold in Europe
- Advancement in Biometric Acceptance Paves Way for Challenges in Countering AI-Driven Digital Fraud
- Unidentified cybercriminals suspected in mobile banking fraud in Kenya, as insiders potentially implicated in the scheme
- Exploring the Architecture and Skills of Qualys' Agentic AI: A Deep Dive into Its Technological Framework and Abilities
