GHSA-wcx9-ccpj-hx3c: 
vulnerability analysis and mitigation

A moderate severity vulnerability (GHSA-wcx9-ccpj-hx3c) was discovered in Coder's login page functionality, affecting versions 2.16.0, 2.15.0-2.15.2, and 2.3.1-2.14.3. The vulnerability was disclosed on October 28, 2024, and involves a post-authentication URL redirection issue that could potentially redirect users to untrusted websites (GitHub Advisory).

The vulnerability stems from improper sanitization of the redirect query parameter on Coder's login page. When a user successfully logs in, the application checks for the presence of this parameter and redirects the user to the specified location. Due to insufficient validation, attackers can craft URLs that redirect users to external websites outside of the Coder application. The vulnerability has been assigned a CVSS v3.1 score of 4.3 (Moderate) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating network vector attack with low complexity but requiring user interaction (GitHub Advisory).

The primary impact of this vulnerability is that authenticated Coder users could be redirected to untrusted websites if they click on a maliciously crafted URL. Importantly, while users can be redirected to external sites, the vulnerability does not expose Coder authentication tokens to these sites, limiting the potential for credential theft (GitHub Advisory).

The vulnerability has been patched in multiple versions: v2.16.1, v2.15.3, and v2.14.4. Users are advised to upgrade to these patched versions to remediate the vulnerability. It's worth noting that all versions prior to 2.3.1 are not affected by this vulnerability (GitHub Advisory).