The Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1.6, 1.2.0, 1.2.2 and 1.3.0-rc.0 are vulnerable to unvalidated URL redirection, which may result in phishing or social engineering attacks.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-601,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| phoenixframework | phoenix | 1.2.0 |
| phoenixframework | phoenix | 1.0.3 |
| phoenixframework | phoenix | 1.1.3 |
| phoenixframework | phoenix | 1.1.1 |
| phoenixframework | phoenix | 1.0.4 |
| phoenixframework | phoenix | 1.1.6 |
| phoenixframework | phoenix | 1.0.0 |
| phoenixframework | phoenix | 1.1.2 |
| phoenixframework | phoenix | 1.1.4 |
| phoenixframework | phoenix | 1.2.2 |
| phoenixframework | phoenix | 1.0.1 |
| phoenixframework | phoenix | 1.0.2 |
| phoenixframework | phoenix | 1.1.5 |
| phoenixframework | phoenix | 1.3.0-rc.0 |
| phoenixframework | phoenix | 1.1.0 |
tag.ex in Phoenix Phoenix.HTML (aka phoenix_html) before 3.0.4 allows XSS in HEEx class attributes.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| phoenixframework | phoenix_html | * |
socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| phoenixframework | phoenix | * |