CVE-2020-36845

Vulnerability

The KnowBe4 Security Awareness Training application prior to 2020-01-10 contains a redirect function that does not validate the destination URL before performing the redirect. The server responds with an HTML page containing a SCRIPT element that sets window.location.href to an arbitrary HTTPS URL supplied by the attacker [1]. This allows an attacker to redirect users to any external website.

Exploitation

An attacker can craft a specially crafted GET request to the vulnerable endpoint, which will return a page that automatically redirects the victim's browser to the attacker-controlled URL. The attacker does not require authentication; the victim only needs to click a malicious link or visit a crafted URL. The reference demonstrates the exact HTTP request and response that triggers the redirect [1].

Impact

Successful exploitation enables an attacker to redirect users to arbitrary external websites, which can be used for phishing attacks, credential harvesting, or distributing malware. The vulnerability itself is an open redirect; it does not directly allow code execution or data disclosure, but it can be leveraged as part of a larger attack chain.

Mitigation

The vulnerability was fixed by the vendor as of 2020-01-10 [1]. Users should ensure they are running a version of the KnowBe4 Security Awareness Training application dated after that. No workarounds are documented.