Details
-
Bug
-
Resolution: Fixed
-
Critical
-
6.0-rc-1
Description
The login and logout parameter xredirect can link to external sites. For example:
/bin/login/XWiki/XWikiLogin?xredirect=//www.softscheck.com/de /bin/logout/XWiki/XWikiLogout?xredirect=//www.softscheck.com/de
An attack path could be a link in one of the sites that looks like an internal reference but redirects to the attackers site.
Attachments
Issue Links
- is duplicated by
-
XWIKI-20096 Open Redirect vulnerability discovered in the latest XWiki platform
- Closed
- is related to
-
XWIKI-10309 Phishing Through URL Redirection
- Closed