VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 11, 2023· Updated Apr 7, 2025

CVE-2023-22958

CVE-2023-22958

Description

The Syracom Secure Login plugin for Jira before 3.1.1.0 has an open redirect vulnerability in the 2FA PIN validation page, allowing phishing attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Syracom Secure Login plugin for Jira before 3.1.1.0 has an open redirect vulnerability in the 2FA PIN validation page, allowing phishing attacks.

Vulnerability

The Syracom Secure Login plugin for Jira before version 3.1.1.0 contains an open redirect vulnerability in the 2FA PIN validation page. The target parameter of the endpoint plugins/servlet/twofactor/public/pinvalidation does not properly validate the redirect URL, allowing an attacker to specify an arbitrary external URL [1].

Exploitation

An attacker can craft a malicious link that, after the user successfully enters their 2FA PIN, redirects the user to an attacker-controlled website. The user must be authenticated to Jira and the 2FA session must be active. By luring the victim to click such a link (e.g., via phishing email), the attacker can redirect the authenticated user to a malicious site that mimics a legitimate Jira page [1].

Impact

Successful exploitation enables an attacker to perform phishing attacks against authenticated Jira users. The attacker can steal login credentials or other sensitive information by presenting a fake login page or by tricking the user into entering data on the malicious site [1].

Mitigation

The vulnerability is fixed in version 3.1.1.0 of the Secure Login plugin. Users should upgrade to this version or later. No workaround is documented in the available references [1].

References
  1. Proof-of-Concepts/Syracom/SecureLogin2FA-OpenRedirect.md at main · piuppi/Proof-of-Concepts

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.