Hello XWiki team,
I discovered an open redirect vulnerability in the XWiki platform in the xredirect parameter.
If a victim goes to the following url: https://xwiki/bin/login/XWiki/XWikiLogin?xredirect=//veryevilwebsite.evil they will be redirected to https://veryevilwebsite.evil
This is because the exact value of the xredirect param ("//veryevilwebsite.evil") is sent to the Location header.
Consider removing every forward and backward slash except for one in the xredirect param as this will inform the browser the path is relative to the site and not an absolute one.