Movary unvalidated Referer header allows open redirect and phishing

5.1 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

Movary is a web application to track, rate and explore your movie watch history. Versions up to and including 0.68.0 use the HTTP Referer header value directly for redirects in multiple settings endpoints, allowing a crafted link to cause an open redirect to an attacker-controlled site and facilitate phishing. This vulnerability is fixed in 0.69.0.

Basic Information

ID CVE-2025-64115

Source GitHub_M

Published Oct 30, 2025 at 17:39

Modified Oct 30, 2025 at 19:06

Affected Product

Vendor leepeuker

Product movary

Version < 0.69.0

Affected Versions leepeuker movary < 0.69.0

CWE Classification

CWE-601

References

{
    "lastseen": "",
    "description": "Movary is a web application to track, rate and explore your movie watch history. Versions up to and including 0.68.0 use the HTTP Referer header value directly for redirects in multiple settings endpoints, allowing a crafted link to cause an open redirect to an attacker-controlled site and facilitate phishing. This vulnerability is fixed in 0.69.0.",
    "published": "2025-10-30T17:39:19.330Z",
    "modified": "2025-10-30T19:06:23.834Z",
    "type": "cve",
    "title": "Movary unvalidated Referer header allows open redirect and phishing",
    "source": "GitHub_M",
    "references": "https://github.com/leepeuker/movary/security/advisories/GHSA-pm58-79jw-q79f\nhttps://github.com/leepeuker/movary/pull/713\nhttps://github.com/leepeuker/movary/commit/716f703b4464ffdb0365c406f3660d275495769f",
    "id": "CVE-2025-64115",
    "bulletinFamily": "",
    "cwe": [
        "CWE-601"
    ],
    "cvelist": null,
    "sourceData": "leepeuker movary < 0.69.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "movary",
    "version": "< 0.69.0",
    "vendor": "leepeuker",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Movary unvalidated Referer header allows open redirect and phishing_CVE-2025-64115