CVE-2023-6380
Published: 13 December 2023
Summary
CVE-2023-6380 is a medium-severity Open Redirect (CWE-601) vulnerability in Alkacon Opencms. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Open redirect vulnerability has been found in the Open CMS product affecting versions 14 and 15 of the Mercury template. The flaw stems from missing sanitization of the URI parameter and is tracked as CWE-601 with a CVSS 3.1 score of 6.1.
An unauthenticated attacker can craft a malicious link and deliver it to a targeted user; when the victim follows the link the browser is redirected to an attacker-controlled site, enabling further compromise such as credential theft or malware delivery. The EPSS score has remained in the 0.43–0.49 range with no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-58620
- 🇪🇸 INCIBE: www.incibe.es
Vulnerability details
Open redirect vulnerability has been found in the Open CMS product affecting versions 14 and 15 of the 'Mercury' template. An attacker could create a specially crafted URL and send it to a specific user to redirect them to a…
more
malicious site and compromise them. Exploitation of this vulnerability is possible due to the fact that there is no proper sanitization of the 'URI' parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.