CVE-2025-54066

Published: Jul 17, 2025

Modified: Jul 17, 2025

PUBLISHED

CVSS v3.1

4.7

MEDIUM

Description

DiracX-Web is a web application that provides an interface to interact with the DiracX services. Prior to version 0.1.0-a8, an attacker can forge a request that they can pass to redirect an authenticated user to another arbitrary website. In the login page, DiracX-Web has a `redirect` field which is the location where the server will redirect the user. This URI is not verified, and can be an arbitrary URI. Paired with a parameter pollution, an attacker can hide their malicious URI. This could be used for phishing, and extract new data (such as redirecting to a new "log in" page, and asking another time credentials). Version 0.1.0-a8 fixes this vulnerability.

Vendor	Product	Versions
DIRACGrid	diracx-web	affected `< 0.1.0-a8`

Weaknesses (CWE)

CWE-601

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/DIRACGrid/diracx-web/security/advisories/GHSA-hfj7-542q-8fvv

x_refsource_CONFIRM

https://github.com/DIRACGrid/diracx-web/commit/eba3b7bc4f9d394074215986e6d3c15b546b25d5

x_refsource_MISC

https://diracx-cert.app.cern.ch/auth?redirect=https://ipcim.com/en/where/?dsdsd=qsqsfsjfnsfniizaeiaapzqlalkqkaizqqijsjaopmqmxna?redirect=https://diracx-cert-app.cern.ch/auth

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-54066

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References