OnboardLite Open Redirect Vulnerability Allowing Phishing and Credential Theft
Vulnerability
A moderate open redirect vulnerability has been identified in OnboardLite, a student organization management application at the University of Central Florida. This issue allows an attacker to create a link that, when clicked, redirects the user to a malicious external site. Such redirection can be exploited for phishing, credential theft, malware delivery, and abuse of trust. The vulnerability exists in all versions prior to the commit hash 6cca19e.
Impact
Exploitation of this vulnerability could lead to unvalidated redirection, allowing for phishing attacks, credential theft, delivery of malware, and general abuse of trust.
Remediation
Users can upgrade to any version after commit 6cca19e to address this vulnerability. This version implements JWT signing for the redirect URL parameter, mitigating the open redirect issue.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.