Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qN2YyLWNxdnEtNWpjZs4AAe7h
Apache Sling Auth Core bundle vulnerable to Open Redirection
Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the resource parameter, related to "a custom login form and XSS."
Permalink: https://github.com/advisories/GHSA-j7f2-cqvq-5jcfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qN2YyLWNxdnEtNWpjZs4AAe7h
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 9 months ago
CVSS Score: 4.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-j7f2-cqvq-5jcf, CVE-2013-4390
References:
- https://nvd.nist.gov/vuln/detail/CVE-2013-4390
- https://issues.apache.org/jira/browse/SLING-3141
- http://mail-archives.apache.org/mod_mbox/sling-dev/201310.mbox/%3CCAKkCf4qdFxEW9NXBJoMsrBama8LFNyir%2B61A0Vfzp4njEpeU%3Dw%40mail.gmail.com%3E
- http://secunia.com/advisories/55249
- http://www.securityfocus.com/bid/63241
- https://github.com/apache/sling-org-apache-sling-auth-core/commit/d1cd9aaa3432d577b65c50b3fbdc36d5d667ca46
- https://github.com/advisories/GHSA-j7f2-cqvq-5jcf
Blast Radius: 9.1
Affected Packages
maven:org.apache.sling:org.apache.sling.auth.core
Dependent packages: 59Dependent repositories: 88
Downloads:
Affected Version Ranges: < 1.1.4
Fixed in: 1.1.4
All affected versions: 1.0.0, 1.0.2, 1.0.4, 1.0.6, 1.1.0, 1.1.2
All unaffected versions: 1.1.4, 1.1.6, 1.1.8, 1.2.0, 1.3.0, 1.3.2, 1.3.4, 1.3.6, 1.3.8, 1.3.10, 1.3.12, 1.3.14, 1.3.16, 1.3.18, 1.3.20, 1.3.22, 1.3.24, 1.3.26, 1.4.0, 1.4.2, 1.4.4, 1.4.6, 1.4.8, 1.5.0, 1.5.2, 1.5.4, 1.5.6, 1.5.8, 1.6.0, 1.6.2, 1.7.0