Description
A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method in Apache Sling Authentication Service 1.4.0 allows an attacker, through the Sling login form, to trick a victim to send over their credentials.
Remediation
References
https://lists.apache.org/thread.html/182bed1dd6933824a81cc5f07639eeb813fbd8f2cc49d51b452ab621%40%3Cdev.sling.apache.org%3E
Related Vulnerabilities
CVE-2017-17068 Vulnerability in npm package auth0-js
CVE-2017-16055 Vulnerability in npm package sqlserver
CVE-2014-3680 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2018-1000402 Vulnerability in maven package org.jenkins-ci.plugins:codedeploy
CVE-2016-2164 Vulnerability in maven package org.apache.openmeetings:openmeetings-server