Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3049 is an open redirect vulnerability found in Horilla CRM versions up to 1.0.2. It exists in the global search functionality, specifically in the handling of the "prev_url" query parameter within the get function of the horilla_generics/global_search.py file. An attacker can manipulate this parameter to redirect users to arbitrary external websites after performing a search.'}, {'type': 'paragraph', 'content': 'This vulnerability allows attackers to craft malicious URLs that appear to be legitimate but redirect users to attacker-controlled sites, facilitating phishing or social engineering attacks.'}, {'type': 'paragraph', 'content': 'The issue was fixed in version 1.0.3 by validating the redirect URL to ensure it only points to allowed internal hosts and schemes, preventing redirection to unsafe external sites.'}] [2, 3, 4, 5]

Useful 0 Not Useful 0

Impact Analysis

This open redirect vulnerability can impact users by enabling attackers to redirect them to malicious external websites through crafted URLs. This can lead to phishing attacks where users are tricked into providing sensitive information or downloading malware.

Because the vulnerability can be exploited remotely without authentication and requires only user interaction, it poses a risk to any user of the affected Horilla CRM versions up to 1.0.2.

The integrity of the application is affected as attackers can misuse the redirect functionality to deceive users, potentially damaging trust in the application.

Upgrading to version 1.0.3 mitigates this risk by ensuring only safe, internal URLs are used for redirection.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP requests to the /generics/search/ endpoint of Horilla CRM versions up to 1.0.2, specifically looking for the presence of the "prev_url" query parameter containing external URLs.'}, {'type': 'paragraph', 'content': 'A simple way to test for the vulnerability is to craft a URL such as: http://YOUR_HORILLA_DOMAIN/generics/search/?section=home&prev_url=https://attacker.com and observe if the application redirects to the external site.'}, {'type': 'paragraph', 'content': 'Network detection can involve inspecting logs or using tools like curl or wget to simulate requests and check for open redirects.'}, {'type': 'list_item', 'content': 'curl -I "http://YOUR_HORILLA_DOMAIN/generics/search/?section=home&prev_url=https://attacker.com"'}, {'type': 'list_item', 'content': 'Observe the HTTP Location header in the response to see if it redirects to the external URL.'}, {'type': 'list_item', 'content': 'Check web server or application logs for unusual redirect patterns involving the prev_url parameter.'}] [4]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary and recommended mitigation is to upgrade Horilla CRM to version 1.0.3, which includes a patch that properly validates the prev_url parameter to prevent open redirects.'}, {'type': 'paragraph', 'content': "The patch uses Django's url_has_allowed_host_and_scheme utility to ensure that redirect URLs are safe and internal, resetting unsafe URLs to the root path."}, {'type': 'paragraph', 'content': 'Until the upgrade can be applied, consider implementing web application firewall (WAF) rules to block requests with suspicious prev_url parameters pointing to external domains.'}, {'type': 'paragraph', 'content': 'Additionally, educate users to be cautious of unexpected redirects and phishing attempts that may exploit this vulnerability.'}] [1, 2, 5]

Useful 0 Not Useful 0