Description

Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the resource parameter, related to "a custom login form and XSS."

Remediation

References

http://mail-archives.apache.org/mod_mbox/sling-dev/201310.mbox/%3CCAKkCf4qdFxEW9NXBJoMsrBama8LFNyir%2B61A0Vfzp4njEpeU%3Dw%40mail.gmail.com%3E

http://secunia.com/advisories/55249

http://www.securityfocus.com/bid/63241

https://issues.apache.org/jira/browse/SLING-3141

Related Vulnerabilities

CVE-2023-24425 Vulnerability in maven package com.cloudbees.jenkins.plugins:kubernetes-credentials-provider

CVE-2017-12633 Vulnerability in maven package org.apache.camel:camel-hessian

CVE-2022-24785 Vulnerability in maven package org.fujion.webjars:moment

CVE-2021-26073 Vulnerability in npm package atlassian-connect-express

CVE-2013-4152 Vulnerability in maven package org.springframework:spring-web

Severity

Critical

Classification

CWE-20

Tags

Vendor Advisory