CVE-2024-28287 identifies a DOM-based open redirection vulnerability in the INSTINCT UI Web Client version 6.5.0. The vulnerability resides in the returnUrl parameter, which is used to redirect users after certain actions. Due to insufficient validation or sanitization of this parameter, an attacker can craft a URL that causes the client-side script to redirect users to arbitrary external websites controlled by the attacker. This type of vulnerability is classified under CWE-601 (URL Redirection to Untrusted Site). The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and requires privileges of a limited user (PR:L) with user interaction (UI:R). The scope remains unchanged (S:U). The impact is high on confidentiality and integrity (C:H/I:H) but does not affect availability (A:N). Exploiting this vulnerability can facilitate phishing attacks, credential theft, session hijacking, or distribution of malware by redirecting users to malicious domains. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on 2024-03-08 and published on 2024-04-02. Given the nature of the vulnerability, it is critical for organizations using this software to implement mitigations promptly.

The primary impact of CVE-2024-28287 is on user confidentiality and integrity. Attackers can leverage the open redirection to redirect users to malicious websites that may host phishing pages or malware, potentially leading to credential compromise or further exploitation. This can undermine user trust and lead to unauthorized access to sensitive systems if credentials or session tokens are stolen. While availability is not directly affected, the reputational damage and potential data breaches can have significant operational and financial consequences. Organizations relying on INSTINCT UI Web Client 6.5.0, particularly in sectors such as government, critical infrastructure, and enterprise environments, face increased risk of targeted phishing campaigns exploiting this vulnerability. The requirement for user interaction and limited privileges reduces the ease of exploitation somewhat but does not eliminate the threat, especially in environments where users may be less security-aware.

To mitigate CVE-2024-28287, organizations should: 1) Implement strict validation and sanitization of the returnUrl parameter on both client and server sides to ensure only trusted URLs are accepted. 2) Employ an allowlist approach restricting redirection targets to known safe domains. 3) Where possible, avoid using open redirect parameters or replace them with token-based redirection mechanisms that verify the legitimacy of the redirect destination. 4) Educate users to recognize suspicious URLs and avoid clicking on untrusted links, especially those received via email or messaging platforms. 5) Monitor web traffic for unusual redirection patterns that may indicate exploitation attempts. 6) Engage with the software vendor for patches or updates addressing this vulnerability and apply them promptly once available. 7) Use web application firewalls (WAFs) to detect and block malicious redirection attempts. 8) Conduct regular security assessments and penetration testing focusing on URL redirection and input validation controls.