Open Redirection Allowed
Issue date: 15-01-2020Affects versions: 13.4, 13.3, 12.5, 11.2
Issue ID
SECURITY-131
Affected Product Version(s)
13.4.0, 12.6.7, 11.2.16 (and previous minor and patch releases)
Severity
Low
Description
Open redirection is allowed on the affected application, which allows a malicious individual to perform social engineering attacks (i.e. phishing). The redirection is done after entering valid credentials to access the application.
Steps to Reproduce:
- Open a web browser and access the following URL: https://<server>/site/login/form
- While intercepting traffic with an internet proxy, submit valid credentials.
- Observe the parameter ‘destination’ on the body of the request, it indicates the destination upon successful login, which can be altered by modifying its value.
Instructions
Every customer is advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.