Description
Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the resource parameter, related to "a custom login form and XSS."
Remediation
References
http://mail-archives.apache.org/mod_mbox/sling-dev/201310.mbox/%3CCAKkCf4qdFxEW9NXBJoMsrBama8LFNyir%2B61A0Vfzp4njEpeU%3Dw%40mail.gmail.com%3E
http://secunia.com/advisories/55249
http://www.securityfocus.com/bid/63241
https://issues.apache.org/jira/browse/SLING-3141
Related Vulnerabilities
CVE-2019-10317 Vulnerability in maven package org.jvnet.hudson.plugins:sitemonitor
CVE-2020-11969 Vulnerability in maven package org.apache.tomee:openejb-lite
CVE-2017-15691 Vulnerability in maven package org.apache.uima:uimaj-core
CVE-2022-45387 Vulnerability in maven package org.jenkins-ci.plugins:bart
CVE-2020-2268 Vulnerability in maven package org.jenkins-ci.plugins:mongodb