CVE-2025-66880

Vulnerability

Overview

The login frontend of 720yun's pano-sdk (version 0.5.877) contains an open redirect vulnerability (CWE-601) in the LoginComp (Module 2093) and SignupComp (Module (Module 2094) components. The root cause is that the redirect parameter is read directly from window.location.search and used for post-authentication navigation without any origin validation or allowlist enforcement [1]. This allows an attacker to supply an arbitrary URL, including redirect parameter.

Exploitation

An attacker can craft a malicious link containing a redirect parameter pointing to an attacker-controlled site or a javascript: URL. If a victim clicks the link and completes authentication, the browser will navigate to the attacker-controlled destination. Because the redirect is not validated, the attacker can chain this with a javascript: URL to achieve Cross-Site Scripting (CWE-79) in the context of the 720yun domain [1]. No authentication is required to trigger the redirect; the victim must be tricked into clicking the crafted link and logging in.

Impact

Successful exploitation allows an attacker to redirect users to phishing pages that mimic the 720yun login, or to execute arbitrary JavaScript in the victim's browser after authentication. This can lead to session theft, cookie theft, and further account compromise [1]. The CVSS v3.1 score is 6.1 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [1].

Mitigation

Status

The vendor (Wethink Technology Inc.) deployed partial mitigations in pano-sdk version 0.5.899 as of 2026-01-08. The WAF now blocks javascript: scheme URLs, but the open redirect to arbitrary HTTP/HTTPS sites remains exploitable [1]. The vulnerable components (LoginComp Module 2093, SignupComp Module 2094) have been updated to Modules 3579 and 3580 respectively [1]. Users are advised to update to the latest version and remain cautious of untrusted login links.