GHSA-wwwq-jmfm-4f5c
GitHub Security Advisory
⚠ Unreviewed
HIGH
Has CVE
Advisory Details
An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and /nonauth/guestConfirm.cs and /nonauth/expiration.cs pages is not properly sanitized before being used to generate a Location HTTP header in a 302 HTTP response. This can be exploited to perform Open Redirect or HTTP Response Splitting attacks, which in turn lead to Reflected Cross-Site Scripting (XSS). Remote command execution can be achieved by leveraging the upgrade feature in the admin interface.
Related CVEs
Key Information
7.5
/10
Dataset
Last updated: July 25, 2025 6:37 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.