{"id":"CVE-2017-7266","details":"Netflix Security Monkey before 0.8.0 has an Open Redirect. The logout functionality accepted the \"next\" parameter which then redirects to any domain irrespective of the Host header.","aliases":["GHSA-j6jq-3q8p-xgg6"],"modified":"2026-04-10T04:02:04.126715Z","published":"2017-03-26T05:59:00.273Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/97088"},{"type":"ADVISORY","url":"https://github.com/Netflix/security_monkey/releases/tag/v0.8.0"},{"type":"ADVISORY","url":"https://github.com/Netflix/security_monkey/pull/482"},{"type":"FIX","url":"https://github.com/Netflix/security_monkey/commit/3b4da13efabb05970c80f464a50d3c1c12262466"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/netflix/security_monkey","events":[{"introduced":"0"},{"last_affected":"eefef7a8e4e8bd7ef1f427b97a28f58a404caa1d"},{"fixed":"3b4da13efabb05970c80f464a50d3c1c12262466"},{"fixed":"870e18bdfbbe6c3e7445cf655c5572cecec5c6f9"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.7.0"}]}}],"versions":["0.3.0","0_1_2_test_1","0_2_0","S3ACLReturnedNoneDisplayName_exception_spelling","add_s3_getbuckettagging_permission","alembic_version_595e27f36454_fails_on_clean_db","configurable_api_server","connect_ses_exception_not_caught","documentation_fixes","exception_with_elbs_missing_PolicyDescriptions_section","issue_117_auditorsettings_never_created","issue_12_deleting_account_foreign_key_constraint","issue_42_elb_pagination_broke_elb_watcher","issue_52_iam_users_missing_pagination","lsv0.3.4","missing_ignorelist_alembic_script","unenforced_field_limits_throw_exceptions","update_quickstart_documentation","upgrade_flask_security","v0.3.4","v0.6.0","v0.7.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-7266.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}