Hurdano
Hurdano
/ gist:8244855ef8ec364fd98a2693de6e30c5
Last active
March 17, 2025 12:40
Host Header Manipulation Leading to Open Redirect in CyberArk Privileged Access Manager Self-Hosted (PVWA) - CVE-2024-54840
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Host Header Manipulation Leading to Open Redirect in CyberArk Privileged Access Manager Self-Hosted (PVWA) | |
| ## Summary | |
| A vulnerability in **CyberArk Privileged Access Manager Self-Hosted (PVWA)** allows an **Open Redirect** by trusting the `Host` header to construct the redirection URL. An unauthenticated, remote attacker can manipulate the `Host` header to redirect users to a domain under their control (or any arbitrary domain). This issue stems from environment-related misconfigurations that can contribute to Host header injection. | |
| --- | |
| ## Affected Products and Versions | |
| - **Product:** CyberArk Privileged Access Manager Self-Hosted (PVWA) | |
| - **Versions Affected:** Versions **before 14.4** |