Details
-
Bug
-
Resolution: Fixed
-
Critical
-
13.5-rc-1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
Open <xwiki-host>/xwiki/bin/view/Main/?foo=bar&foo_syntax=invalid&RequiresHTMLConversion=foo&xerror=https://www.example.com where <xwiki-host> is the URL of your XWiki installation.
Expected result:
No redirect is performed, an error is possibly displayed.
Actual result:
The browser is redirected to https://www.example.com. This demonstrates an open redirect vulnerability that could be used, e.g., for phishing attacks.
This has been reported on SonarCloud, see https://sonarcloud.io/project/issues?open=AXnpAhzJDDFOvAKXAQy3&id=org.xwiki.platform%3Axwiki-platform.
Attachments
Issue Links
- links to