{"id":"CVE-2023-28370","details":"Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.","aliases":["GHSA-hj3f-6gcp-jg8j","PYSEC-2023-75"],"modified":"2026-04-16T00:07:22.497943762Z","published":"2023-05-25T10:15:09.750Z","related":["ALSA-2023:6523","SUSE-SU-2023:2770-1","SUSE-SU-2023:2807-1","SUSE-SU-2023:3122-1","SUSE-SU-2023:3123-1","SUSE-SU-2023:3128-1","SUSE-SU-2023:3131-1","SUSE-SU-2023:3137-1","SUSE-SU-2023:3139-1","SUSE-SU-2023:3142-1","SUSE-SU-2023:3143-1","SUSE-SU-2023:3144-1","SUSE-SU-2023:3145-1","openSUSE-SU-2024:13107-1","openSUSE-SU-2024:13121-1"],"references":[{"type":"WEB","url":"https://github.com/tornadoweb/tornado/releases/tag/v6.3.2"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html"},{"type":"ADVISORY","url":"https://jvn.jp/en/jp/JVN45127776/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tornadoweb/tornado","events":[{"introduced":"0"},{"fixed":"34f5c1cf2696afec5532ca9e870ba32cbc7fee27"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:tornadoweb:tornado:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"6.3.2"}]}}],"versions":["v1.0.0","v1.1.0","v1.2.0","v2.0.0","v2.1.0","v2.1.1","v2.2.0","v2.3.0","v3.0.0","v3.0.1","v3.1.0","v3.2.0","v3.2.0b1","v3.2.0b2","v4.0.0","v4.0.0b1","v4.0.0b2","v4.0.0b3","v4.1.0","v4.1.0b1","v4.1.0b2","v4.2.0","v4.2.0b1","v4.3.0","v4.3.0b1","v4.3.0b2","v4.4.0","v4.4.0b1","v4.4.1","v4.5.0","v4.5.1","v5.0.0","v5.1.0","v6.0.0","v6.0.0b1","v6.1.0","v6.1.0b1","v6.1.0b2","v6.2.0","v6.2.0b1","v6.2.0b2","v6.3.0","v6.3.0b1","v6.3.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28370.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}