CVE-2025-15112
5.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
Summary
Ksenia Security lares (legacy model) version 1.6 contains a URL redirection vulnerability in the 'cmdOk.xml' script that allows attackers to manipulate the 'redirectPage' GET parameter. Attackers can craft malicious links that redirect authenticated users to arbitrary websites when clicking on a specially constructed link hosted on a trusted domain.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Ksenia Security S.p.A. | lares | 1.6 | affected |
| Ksenia Security S.p.A. | lares | 1.0.0.15 | affected |
Weaknesses
- CWE-601: CWE-601 URL redirection to untrusted site ('open redirect')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5928.php
- https://packetstorm.news/files/id/190179/
- https://www.kseniasecurity.com/
- https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-url-redirection-vulnerability
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.