Description

Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the resource parameter, related to "a custom login form and XSS."

Remediation

References

http://mail-archives.apache.org/mod_mbox/sling-dev/201310.mbox/%3CCAKkCf4qdFxEW9NXBJoMsrBama8LFNyir%2B61A0Vfzp4njEpeU%3Dw%40mail.gmail.com%3E

http://secunia.com/advisories/55249

http://www.securityfocus.com/bid/63241

https://issues.apache.org/jira/browse/SLING-3141

Related Vulnerabilities

CVE-2019-10317 Vulnerability in maven package org.jvnet.hudson.plugins:sitemonitor

CVE-2020-11969 Vulnerability in maven package org.apache.tomee:openejb-lite

CVE-2017-15691 Vulnerability in maven package org.apache.uima:uimaj-core

CVE-2022-45387 Vulnerability in maven package org.jenkins-ci.plugins:bart

CVE-2020-2268 Vulnerability in maven package org.jenkins-ci.plugins:mongodb

Severity

Critical

Classification

CWE-20

Tags

Vendor Advisory