CVE-2023-26494
- Source
- https://cve.org/CVERecord?id=CVE-2023-26494
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26494.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-26494
- Aliases
- Published
- 2023-04-24T16:05:37.982Z
- Modified
- 2026-03-01T02:50:28.849392Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- lorawan-stack has open redirect vulnerability
- Details
-
lorawan-stack is an open source LoRaWAN network server. Prior to version 3.24.1, an open redirect exists on the login page of the lorawan stack server, allowing an attacker to supply a user controlled redirect upon sign in. This issue may allows malicious actors to phish users, as users assume they were redirected to the homepage on login. Version 3.24.1 contains a fix.
- Database specific
{ "cwe_ids": [ "CWE-601" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26494.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26494.json
- https://github.com/TheThingsNetwork/lorawan-stack/blob/ecdef730f176c02f7c9afce98b0457ae64de5bfc/pkg/webui/account/views/login/index.js#L90-L90
- https://github.com/TheThingsNetwork/lorawan-stack/blob/ecdef730f176c02f7c9afce98b0457ae64de5bfc/pkg/webui/account/views/token-login/index.js#L74-L74
- https://github.com/TheThingsNetwork/lorawan-stack/commit/f06776028bdb3994847fc6067613dc61a2b3559e
- https://github.com/TheThingsNetwork/lorawan-stack/releases/tag/v3.24.1
- https://nvd.nist.gov/vuln/detail/CVE-2023-26494
- https://securitylab.github.com/advisories/GHSL-2022-138_lorawan-stack/
Affected packages
Git / github.com/thethingsnetwork/lorawan-stack
Affected ranges
- Type
- GIT
- Repo
- https://github.com/thethingsnetwork/lorawan-stack
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v3.*
v3.0.0
v3.0.0-pre
v3.0.0-rc1
v3.0.0-rc2
v3.0.0-rc3
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v3.1.1
v3.1.2
v3.10.0
v3.10.0-rc1
v3.10.0-rc2
v3.10.1
v3.10.2
v3.10.3
v3.10.5
v3.10.6
v3.11.0
v3.11.0-rc1
v3.11.0-rc2
v3.11.1
v3.11.2
v3.11.3
v3.12.0
v3.12.1
v3.12.2
v3.13.0
v3.13.1
v3.13.2
v3.13.3
v3.14.0
v3.14.1
v3.14.2
v3.15.0
v3.15.1
v3.15.2
v3.15.3
v3.16.0
v3.16.1
v3.16.2
v3.17.0
v3.17.1
v3.17.2
v3.18.0
v3.18.1
v3.18.2
v3.19.0
v3.19.1
v3.19.2
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.20.1
v3.20.2
v3.21.0
v3.21.1
v3.22.0
v3.22.1
v3.22.2
v3.23.0
v3.23.1
v3.23.2
v3.24.0
v3.3.0
v3.3.1
v3.3.2
v3.4.0
v3.4.1
v3.4.2
v3.5.0
v3.5.1
v3.5.2
v3.6.0
v3.6.0-rc1
v3.7.0
v3.7.0-rc2
v3.7.1
v3.8.0
v3.8.1
v3.8.2
v3.8.3
v3.8.4
v3.8.5
v3.9.0
v3.9.0-rc1
v3.9.0-rc2
v3.9.0-rc3
v3.9.0-rc4
v3.9.1
v3.9.3
v3.9.4