Description

Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the resource parameter, related to "a custom login form and XSS."

Remediation

References

http://mail-archives.apache.org/mod_mbox/sling-dev/201310.mbox/%3CCAKkCf4qdFxEW9NXBJoMsrBama8LFNyir%2B61A0Vfzp4njEpeU%3Dw%40mail.gmail.com%3E

http://secunia.com/advisories/55249

http://www.securityfocus.com/bid/63241

https://issues.apache.org/jira/browse/SLING-3141

Related Vulnerabilities

CVE-2023-28684 Vulnerability in maven package com.sap.jenkinsci:remote-jobs-view-plugin

CVE-2018-1000014 Vulnerability in maven package org.jenkins-ci.plugins:translation

CVE-2021-21687 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-43416 Vulnerability in maven package org.jenkins-ci.plugins:katalon

CVE-2022-1438 Vulnerability in maven package org.keycloak:keycloak-services

Severity

Critical

Classification

CWE-20

Tags

Vendor Advisory