Description

Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the resource parameter, related to "a custom login form and XSS."

Remediation

References

http://mail-archives.apache.org/mod_mbox/sling-dev/201310.mbox/%3CCAKkCf4qdFxEW9NXBJoMsrBama8LFNyir%2B61A0Vfzp4njEpeU%3Dw%40mail.gmail.com%3E

http://secunia.com/advisories/55249

http://www.securityfocus.com/bid/63241

https://issues.apache.org/jira/browse/SLING-3141

Related Vulnerabilities

CVE-2021-21277 Vulnerability in npm package angular-expressions

CVE-2017-17068 Vulnerability in maven package org.webjars.npm:auth0-js

CVE-2020-9480 Vulnerability in maven package org.apache.spark:spark-network-common_2.12

CVE-2018-6356 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2023-31062 Vulnerability in maven package org.apache.inlong:manager-web

Severity

Critical

Classification

CWE-20

Tags

Vendor Advisory