Home

Description

Movary is a web application to track, rate and explore your movie watch history. Versions up to and including 0.68.0 use the HTTP Referer header value directly for redirects in multiple settings endpoints, allowing a crafted link to cause an open redirect to an attacker-controlled site and facilitate phishing. This vulnerability is fixed in 0.69.0.

PUBLISHED Reserved 2025-10-27 | Published 2025-10-30 | Updated 2025-10-30 | Assigner GitHub_M




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Product status

< 0.69.0
affected

References

github.com/...movary/security/advisories/GHSA-pm58-79jw-q79f

github.com/leepeuker/movary/pull/713

github.com/...ommit/716f703b4464ffdb0365c406f3660d275495769f

cve.org (CVE-2025-64115)

nvd.nist.gov (CVE-2025-64115)

Download JSON