Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
Mage_ProductAlert_AddController::stockAction() reads the uenc query parameter and passes it directly to $this->_redirectUrl($backUrl) without calling $this->_isUrlInternal() When the supplied product_id does not match any catalog product, the server issues an unvalidated HTTP 302 redirect to whatever URL was provided as uenc.
Vulnerable path:
// app/code/core/Mage/ProductAlert/controllers/AddController.php : stockAction()
$backUrl = $this->getRequest()->getParam(Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED); // raw, no decode
$productId = (int) $this->getRequest()->getParam('product_id');
if (!$backUrl || !$productId) {
$this->_redirect('/');
return;
}
$product = Mage::getModel('catalog/product')->load($productId);
if (!$product->getId()) {
$session->addError($this->__('Not enough parameters.'));
$this->_redirectUrl($backUrl); // ← NO _isUrlInternal() check
return;
}Secure peer (priceAction()):
if (!$product->getId()) {
if ($this->_isUrlInternal($backUrl)) { // ← validation present
$this->_redirectUrl($backUrl);
} else {
$this->_redirect('/');
}
return;
}Steps to Reproduce
Prerequisites
- OpenMage LTS ≤ 20.16.0 with Product Alerts enabled (default configuration)
- A valid, logged-in customer session on the target store
Step 1 - Authenticate as a Customer (Attacker controls the crafted link; victim must be logged in)
The preDispatch() hook calls Mage::getSingleton('customer/session')->authenticate($this). If the request comes from an unauthenticated user, they are redirected to the login page first. The open redirect only fires after the customer is authenticated. This is the realistic attack scenario: the attacker sends a crafted link to a customer who is already logged in.
<img width="1548" height="638" alt="image" src="https://github.com/user-attachments/assets/64c18279-ec0a-4110-b8f4-d952870e348c" />
Step 2 - Craft the Malicious URL
The uenc parameter is read raw via getParam() with no base64 decoding in this code path. A plain URL is sufficient and produces the redirect:
GET /productalert/add/stock/?product_id=99999&uenc=https://evil.com/steal-credentials HTTP/1.1
Host: <store-hostname>
Cookie: om_frontend=<authenticated-session>Key conditions:
product_idmust reference a non-existent product (triggers the vulnerable branch; any large ID works)uencis the raw destination URL (no base64 encoding required)
<img width="1554" height="852" alt="image" src="https://github.com/user-attachments/assets/d8530247-2d2f-4747-bf16-ece71a507b50" />
Impact
Technical Impact
An attacker who controls the uenc parameter value can redirect any logged-in shopper to an arbitrary external URL. Because the redirect originates from the legitimate store domain, the victim’s browser shows the trusted store URL in the address bar momentarily before being sent to the attacker site. The HTTP 302 response exits the store’s origin before the browser shows anything to the user.
Business-Level Attack Vectors
| Scenario | Description |
|---|---|
| Credential phishing | Craft a link claiming to show a stock notification. Customer lands on attacker’s login clone and reuses their password. |
| OAuth / SSO token theft | If the store uses a social login or “Login with Google” flow, the attacker can inject their redirect_uri via the open redirect, stealing OAuth tokens. |
| Affiliate fraud | Redirect customers from the legitimate store to a competing retailer after they click a “notify me” link. |
| Malware distribution | Redirect to drive-by-download pages with the store’s reputation acting as social proof. |
Propagation
A single malicious link can be embedded in:
- Customer emails (“Click here for stock notification preferences”)
- Forum posts, social media, or product reviews on the store
- SEO-poisoned search results that rank the store’s domain
Recommended Fix
Apply the same _isUrlInternal() guard used in priceAction() to the stockAction() missing-product
This is an AI-generated report.
An attempt was made to test the same PoC against the online demo https://demo.openmage.org/ but it couldn't be reproduced. It was only reproduced against the local setup env against the latest version.
AnalysisAI
Open redirect vulnerability in OpenMage LTS through version 20.17.0 allows authenticated attackers to redirect logged-in customers to arbitrary external URLs via an unvalidated uenc parameter in the ProductAlert stockAction() controller. The vulnerability occurs when a non-existent product ID is supplied, bypassing the _isUrlInternal() validation check present in the analogous priceAction() method. Attackers can exploit this for credential phishing, OAuth token theft, affiliate fraud, or malware distribution by crafting a malicious link and distributing it via email, forums, or social media.
Technical ContextAI
OpenMage LTS is a community-maintained fork of Magento 1.x, a PHP-based e-commerce platform. The vulnerability exists in the Mage_ProductAlert_AddController::stockAction() method located in app/code/core/Mage/ProductAlert/controllers/AddController.php. The controller accepts a uenc (URL-encoded return URL) query parameter and a product_id parameter. When a user requests stock alerts for a product, the code retrieves the product from the catalog database. If the product does not exist (ID returns no match), the code calls _redirectUrl($backUrl) directly without first validating that the URL is internal to the store domain using the _isUrlInternal() method. This is a clear deviation from the secure pattern already implemented in the sibling priceAction() method within the same controller, where the _isUrlInternal() check is present. The root cause is CWE-601 (URL Redirection to Untrusted Site / Open Redirect), a classic control-flow bypass where user-supplied input directly influences redirect destinations without domain validation.
RemediationAI
Vendor-released patch: upgrade to OpenMage LTS version 20.18.0 or later. The fix applies the _isUrlInternal() validation guard to the stockAction() method, mirroring the secure pattern already present in priceAction(). If immediate patching is not possible, implement a temporary web application firewall (WAF) rule to block requests to /productalert/add/stock/ that contain a uenc parameter pointing to external domains - allow only uenc values matching the store's own domain or relative paths beginning with /. This mitigation eliminates the attack vector at the network perimeter but does not resolve the underlying code defect and may produce false positives if the store legitimately uses the uenc parameter for external redirects elsewhere. The most reliable short-term control is to disable the Product Alerts feature entirely via admin configuration (System > Configuration > Catalog > Product Alerts) if business requirements permit; this eliminates the vulnerable endpoint entirely. Communicate with customers that the stock notification feature will be temporarily offline during patching to avoid confusion. Apply the patch as soon as possible, as the vulnerability is publicly documented and proof-of-concept steps are available.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30570
GHSA-qpgq-5g92-j5q8