Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qN2YyLWNxdnEtNWpjZs4AAe7h

Apache Sling Auth Core bundle vulnerable to Open Redirection

Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the resource parameter, related to "a custom login form and XSS."

Permalink: https://github.com/advisories/GHSA-j7f2-cqvq-5jcf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qN2YyLWNxdnEtNWpjZs4AAe7h
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago


CVSS Score: 4.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Percentage: 0.00348
EPSS Percentile: 0.72509

Identifiers: GHSA-j7f2-cqvq-5jcf, CVE-2013-4390
References: Repository: https://github.com/apache/sling-org-apache-sling-auth-core
Blast Radius: 9.1

Affected Packages

maven:org.apache.sling:org.apache.sling.auth.core
Dependent packages: 59
Dependent repositories: 88
Downloads:
Affected Version Ranges: < 1.1.4
Fixed in: 1.1.4
All affected versions: 1.0.0, 1.0.2, 1.0.4, 1.0.6, 1.1.0, 1.1.2
All unaffected versions: 1.1.4, 1.1.6, 1.1.8, 1.2.0, 1.3.0, 1.3.2, 1.3.4, 1.3.6, 1.3.8, 1.3.10, 1.3.12, 1.3.14, 1.3.16, 1.3.18, 1.3.20, 1.3.22, 1.3.24, 1.3.26, 1.4.0, 1.4.2, 1.4.4, 1.4.6, 1.4.8, 1.5.0, 1.5.2, 1.5.4, 1.5.6, 1.5.8, 1.6.0, 1.6.2, 1.7.0