Open Redirection AllowedIssue date: 15-01-2020
Affects versions: 13.4, 13.3, 12.5, 11.2
Affected Product Version(s)
13.4.0, 12.6.7, 11.2.16 (and previous minor and patch releases)
Open redirection is allowed on the affected application, which allows a malicious individual to perform social engineering attacks (i.e. phishing). The redirection is done after entering valid credentials to access the application.
Steps to Reproduce:
- Open a web browser and access the following URL: https://<server>/site/login/form
- While intercepting traffic with an internet proxy, submit valid credentials.
- Observe the parameter ‘destination’ on the body of the request, it indicates the destination upon successful login, which can be altered by modifying its value.
Every customer is advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.