Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-27463
CVE-2022-27463:
PHP vulnerability analysis and mitigation
Overview
Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6 allows attackers to arbitrarily redirect users from a crafted url to the login page (AttackerKB).
Technical details
The vulnerability exists in the login.json.php file where insufficient validation of the redirectUri parameter allows attackers to specify arbitrary redirect destinations. The issue was fixed by implementing proper domain validation using isSameDomain() function instead of a simple regex pattern match (GitHub).
Impact
This vulnerability could be exploited to conduct phishing attacks by redirecting users from a legitimate AVideo platform URL to malicious websites, potentially leading to credential theft or other social engineering attacks.
Mitigation and workarounds
The vulnerability has been patched by implementing proper domain validation in the login.json.php file. Users should upgrade to a version after 11.6 that includes this security fix (GitHub).
Additional resources
Source: This report was generated using AI
Related PHP vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management