KnowBe4 Security Awareness Training Open Redirect Vulnerability
Vulnerability
A vulnerability in the KnowBe4 Security Awareness Training application, present in versions prior to January 10, 2020, allows for open redirects. The application contains a redirect function that fails to validate the destination URL before redirecting, enabling potential phishing attacks or the delivery of malware. This vulnerability was discovered during a security training session.
Impact
Exploitation of this vulnerability could lead to phishing attacks or the delivery of malware, compromising the user's system.
Reproduction
The vulnerability can be reproduced by sending a GET request to the application with a crafted URL that includes an unvalidated redirect destination. The response will include a SCRIPT element that redirects the user to the specified URL, which can be an attacker-controlled site.
Remediation
Users are advised to ensure that any values passed to redirect parameters are validated as acceptable or internal to the application.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.