CVE-2021-23495

low-risk
Published 2022-02-25

The package karma before 6.3.16 are vulnerable to Open Redirect due to missing validation of the return_url query parameter.

Do I need to act?

-
0.26% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Karma Project

References (6)

Patch https://github.com/karma-runner/karma/commit/ff7edbb2ffbcdd69761bece86b7dc1ef074...
Patch https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2412347
Patch https://snyk.io/vuln/SNYK-JS-KARMA-2396325
Patch https://github.com/karma-runner/karma/commit/ff7edbb2ffbcdd69761bece86b7dc1ef074...
Patch https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2412347
Patch https://snyk.io/vuln/SNYK-JS-KARMA-2396325
27
/ 100
low-risk
Severity 21/34 · High
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal