Cyber Resilience

CVE-2023-6380

Medium

Published: 13 December 2023

Published
13 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.4328 97.6th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6380 is a medium-severity Open Redirect (CWE-601) vulnerability in Alkacon Opencms. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Open redirect vulnerability has been found in the Open CMS product affecting versions 14 and 15 of the Mercury template. The flaw stems from missing sanitization of the URI parameter and is tracked as CWE-601 with a CVSS 3.1 score of 6.1.

An unauthenticated attacker can craft a malicious link and deliver it to a targeted user; when the victim follows the link the browser is redirected to an attacker-controlled site, enabling further compromise such as credential theft or malware delivery. The EPSS score has remained in the 0.43–0.49 range with no material upward trajectory after disclosure.

EU & UK References

Vulnerability details

Open redirect vulnerability has been found in the Open CMS product affecting versions 14 and 15 of the 'Mercury' template. An attacker could create a specially crafted URL and send it to a specific user to redirect them to a…

more

malicious site and compromise them. Exploitation of this vulnerability is possible due to the fact that there is no proper sanitization of the 'URI' parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

alkacon
opencms
14.0.0 — 16.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References