What is CVE-2023-28370?

CVE-2023-28370 is a vulnerability in Tornadoweb Tornado. Published 2023-05-25.

Is CVE-2023-28370 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Tornadoweb Tornado

CVE-2023-28370

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

EPSS: 0.004 (62.9th percentile) — read the EPSS interpretation.

Affected products

Tornadoweb Tornado — versions versions 6.3.1 and earlier

Public proof-of-concept exploits

HotDB-Community/HotDB-Engine
andersonloyem/magui

References

github.com/tornadoweb/tornado/releases/tag/v6.3.2
jvn.jp/en/jp/JVN45127776/

Frequently asked questions

What is CVE-2023-28370?: CVE-2023-28370 is a vulnerability in Tornadoweb Tornado. Published 2023-05-25.
Is CVE-2023-28370 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.