Description
The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.
Remediation
References
Related Vulnerabilities
PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2009-3557)
MediaWiki CVE-2019-12474 Vulnerability (CVE-2019-12474)
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-3546)
Handlebars Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-20920)