CVE-2024-47530: 
Homebrew vulnerability analysis and mitigation

Scout, a web-based visualizer for VCF-files, was found to contain an open redirect vulnerability that enables phishing attacks by redirecting users to malicious pages. The vulnerability was discovered in September 2024 and affects all versions up to 4.88.1, with a fix released in version 4.89. The vulnerability specifically affects the /login API endpoint through the 'next' parameter due to insufficient sanitization logic (GitHub Advisory).

The vulnerability exists in the login endpoint where the 'next' parameter value is stored in session["nexturl"] without proper validation. Upon successful login, the performlogin function executes a redirect based on the stored next_url parameter, which can point to any external domain. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N by NIST NVD, while GitHub assessed it at 5.4 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (NVD).

The vulnerability allows attackers to redirect victims to malicious websites for potential credential theft and sensitive information collection. Additionally, due to lack of scheme validation, attackers can perform HTTPS Downgrade Attacks, potentially enabling Man-in-the-Middle (MitM) attacks to steal sessions and perform account takeovers (GitHub Advisory).

The vulnerability has been patched in Scout version 4.89. Users are advised to upgrade to this version or later to protect against potential attacks. The fix involves removing the open redirect functionality and ensuring users are always redirected to the cases page upon login (GitHub Patch).