{"url":"http://public2.vulnerablecode.io/api/packages/383811?format=json","purl":"pkg:hex/phoenix@1.0.6","type":"hex","namespace":"","name":"phoenix","version":"1.0.6","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.0.5","latest_non_vulnerable_version":"1.8.6","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1?format=json","vulnerability_id":"VCID-tze3-x324-z3hz","summary":"The Phoenix team designed Phoenix.Controller.redirect/2 to protect against\nredirects allowing user input to redirect to an external URL where your\napplication code otherwise assumes a local path redirect. This is why the\n:to option is used for “local” URL redirects and why you must pass the\n:external option to intentionally allow external URLs to be redirected to.\n\nIt has been disclosed that carefully crafted user input may be treated by some\nbrowsers as an external URL. An attacker can use this vulnerability to aid in\nsocial engineering attacks. The most common use would be to create highly\nbelievable phishing attacks.\n\nFor example, the following user input would pass local URL validation,\nbut be treated by Chrome and Firefox as external URLs:\nhttp://localhost:4000/?redirect=/\\nexample.com\n\nNot all browsers are affected, but latest Chrome and Firefox will issue a get\nrequest for example.com and successfully redirect externally.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-1000163","reference_id":"","reference_type":"","scores":[{"value":"0.01793","scoring_system":"epss","scoring_elements":"0.83165","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-1000163"},{"reference_url":"https://elixirforum.com/t/security-releases-for-phoenix/4143","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://elixirforum.com/t/security-releases-for-phoenix/4143"},{"reference_url":"https://github.com/phoenixframework/phoenix","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/phoenixframework/phoenix"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000163","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000163"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1?format=json","purl":"pkg:hex/phoenix@1.0.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/phoenix@1.0.5"},{"url":"http://public2.vulnerablecode.io/api/packages/383811?format=json","purl":"pkg:hex/phoenix@1.0.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/phoenix@1.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/2?format=json","purl":"pkg:hex/phoenix@1.1.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/phoenix@1.1.7"},{"url":"http://public2.vulnerablecode.io/api/packages/383812?format=json","purl":"pkg:hex/phoenix@1.1.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/phoenix@1.1.8"},{"url":"http://public2.vulnerablecode.io/api/packages/3?format=json","purl":"pkg:hex/phoenix@1.2.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/phoenix@1.2.3"}],"aliases":["CVE-2017-1000163","GHSA-cmfh-8f8r-fj96"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tze3-x324-z3hz"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:hex/phoenix@1.0.6"}