Description
Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the resource parameter, related to "a custom login form and XSS."
Remediation
References
http://mail-archives.apache.org/mod_mbox/sling-dev/201310.mbox/%3CCAKkCf4qdFxEW9NXBJoMsrBama8LFNyir%2B61A0Vfzp4njEpeU%3Dw%40mail.gmail.com%3E
http://secunia.com/advisories/55249
http://www.securityfocus.com/bid/63241
https://issues.apache.org/jira/browse/SLING-3141
Related Vulnerabilities
CVE-2017-7957 Vulnerability in maven package org.jvnet.hudson:xstream
CVE-2016-3101 Vulnerability in maven package org.jenkins-ci.plugins:extra-columns
CVE-2020-17527 Vulnerability in maven package org.apache.tomcat:tomcat-coyote
CVE-2023-37466 Vulnerability in maven package org.webjars.npm:vm2
CVE-2023-33265 Vulnerability in maven package com.hazelcast:hazelcast