Impact
An open redirect/phishing vulnerability was found in ASH-AIO. The domains that linked to Hexexpeck's website and the ASH Team website were expired, and an attacker could register them and serve arbitrary HTML content to the end user as well as make phishing attacks much easier.
Patches
A patch has been pushed to the master branch of the repository. The newest version (although no release candidate is available at the moment) is 2.0.0.3, you can get this version by compiling the source.
Workarounds
No workarounds available.
References
A HackerOne report is available however I cannot link it since it is only visible to those invited to my private vulnerability disclosure program on HackerOne.
For more information
If you have any questions or comments about this advisory:
The hacker that submitted this report has agreed to disclose a summary of the vulnerability on my HackerOne program as well as for a public release of this security advisory.
Impact
An open redirect/phishing vulnerability was found in ASH-AIO. The domains that linked to Hexexpeck's website and the ASH Team website were expired, and an attacker could register them and serve arbitrary HTML content to the end user as well as make phishing attacks much easier.
Patches
A patch has been pushed to the master branch of the repository. The newest version (although no release candidate is available at the moment) is 2.0.0.3, you can get this version by compiling the source.
Workarounds
No workarounds available.
References
A HackerOne report is available however I cannot link it since it is only visible to those invited to my private vulnerability disclosure program on HackerOne.
For more information
If you have any questions or comments about this advisory:
The hacker that submitted this report has agreed to disclose a summary of the vulnerability on my HackerOne program as well as for a public release of this security advisory.