EUVD-2025-209233

| CVE-2025-61166 MEDIUM
2026-04-06 mitre GHSA-j58g-5hhr-9qhv
6.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 06, 2026 - 17:45 vuln.today
EUVD ID Assigned
Apr 06, 2026 - 17:45 euvd
EUVD-2025-209233
CVE Published
Apr 06, 2026 - 00:00 nvd
MEDIUM 6.1

Tags

Open Redirect

Description

An open redirect in Ascertia SigningHub User v10.0 allows attackers to redirect users to a malicious site via a crafted URL.

Analysis

Open redirect in Ascertia SigningHub User v10.0 allows unauthenticated remote attackers to redirect users to attacker-controlled websites via crafted URLs, enabling phishing and credential harvesting attacks. The vulnerability requires user interaction (UI:R) to trigger but affects users across security domains (S:C), with CVSS 6.1 (Medium) and no confirmed active exploitation or public exploit code identified at time of analysis.

Technical Context

This vulnerability exploits improper input validation in URL handling mechanisms, classified as CWE-601 (URL Redirection to Untrusted Site). Ascertia SigningHub User v10.0 fails to validate or sanitize redirect parameters in application URLs, permitting attackers to craft URLs with attacker-controlled destination parameters. When users click such links-typically distributed via phishing emails or social engineering-the application redirects them to malicious sites without warning or validation. This is a common vulnerability in web applications and browser-based tools that accept user-supplied redirect targets without strict allowlisting or validation against a known-safe domain list.

Affected Products

Ascertia SigningHub User v10.0 is confirmed affected. CPE designation in source data shows generic placeholders (cpe:2.3:a:n/a:n/a) rather than vendor-specific identifiers, suggesting incomplete vendor data at time of CVE publication. ENISA EUVD-2025-209233 similarly lists affected version as 'n/a n/a', indicating missing structured vendor version metadata. Organizations running SigningHub User v10.0 should verify applicability; upstream and downstream version vulnerability status is not confirmed from available data.

Remediation

Vendor patch information and specific remediated version numbers are not provided in available source data. Organizations should contact Ascertia directly via their security advisory channels or check the vendor's website for patched versions of SigningHub User. As an interim mitigation, educate users to verify redirect destinations before clicking embedded links in emails, restrict application redirect parameters to allowlisted internal domains, and implement URL filtering at the email gateway to block suspicious redirect attempts. Disable or restrict any non-essential redirect functionality if configuration options permit.

Priority Score

31
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +30
POC: 0

Share

EUVD-2025-209233 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy