LORIS has an open redirect field on login

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS, which could be used to trick users into visiting arbitrary URLs if they are given a link with a third party redirect parameter. This vulnerability is fixed in 27.0.3 and 28.0.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

指向未可信站点的URL重定向(开放重定向)

LORIS Neuroimaging Platform 输入验证错误漏洞

LORIS Neuroimaging Platform是ACElab开源的一个神经影像平台。 LORIS Neuroimaging Platform 27.0.3之前版本和28.0.1之前版本存在输入验证错误漏洞，该漏洞源于登录重定向参数未验证目标是否在LORIS内，可能导致用户被诱导访问任意URL。

N/A

N/A