Executive Summary

This vulnerability exists in the publication module of the LORIS web application versions 20.0.0 through 27.0.2 and 28.0.0. The system incorrectly trusts the baseURL parameter submitted by a user's POST request instead of using an internally defined base URL.

Because of this, an attacker with access to the publication module can forge emails that appear to come from the LORIS system but contain links to external domains controlled by the attacker.

The root cause is that the notify function accepted user-supplied baseURL values and included them in email notifications, allowing potential phishing or redirection attacks.

This issue has been fixed by removing the baseURL parameter from the notify function and updating email templates to avoid direct URL links.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker with access to the publication module to forge emails that appear to come from the LORIS system but direct recipients to external domains controlled by the attacker. This could potentially facilitate phishing attacks or mislead users, which may indirectly impact compliance with standards that require protection against unauthorized data manipulation or phishing, such as GDPR or HIPAA.

However, the CVE description and resources do not explicitly mention any direct impact on confidentiality, integrity, or availability of personal data, nor do they specify compliance violations with regulations like GDPR or HIPAA.

The vulnerability is classified as low severity with no confidentiality impact and only low integrity impact, suggesting limited direct compliance risk, but organizations should consider the phishing risk in their overall security posture.

Useful 0 Not Useful 0

Impact Analysis

An attacker with access to the publication module could exploit this vulnerability to send forged emails that appear to originate from the LORIS system but actually contain links to malicious external sites.

This could lead to phishing attacks or users being redirected to attacker-controlled domains, potentially compromising user trust or leading to further exploitation.

The vulnerability has a low severity score (CVSS 3.5) and requires low privileges and user interaction, so the impact is limited but still notable in environments where the publication module is accessible.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the publication module of LORIS incorrectly trusting the baseURL parameter submitted via a user's POST request. Detection would involve monitoring or inspecting POST requests to the publication module endpoint to see if the baseURL parameter is being supplied or manipulated.

Since the vulnerability is related to the content of POST requests and email notifications generated by the system, detection could include reviewing logs for suspicious POST requests containing unusual or external baseURL values.

No specific commands are provided in the available resources to detect this vulnerability directly.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade LORIS to version 27.0.3 or later, or 28.0.1 or later, where the vulnerability has been fixed by removing the user-supplied baseURL parameter from the publication module.

If upgrading immediately is not possible, a workaround is to disable the publication module if it is not in use, to prevent exploitation.

Additionally, reviewing and restricting access to the publication module to trusted users can reduce the risk of exploitation.

Useful 0 Not Useful 0