CVE-2013-4390 – org.apache.sling:org.apache.sling.auth.core

Package

Manager: maven
Name: org.apache.sling:org.apache.sling.auth.core
Vulnerable Version: >=0 <1.1.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01325 pctl0.79139

Details

Apache Sling Auth Core bundle vulnerable to Open Redirection Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the resource parameter, related to "a custom login form and XSS."

Metadata

Created: 2022-05-17T04:59:24Z
Modified: 2023-08-29T19:02:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j7f2-cqvq-5jcf/GHSA-j7f2-cqvq-5jcf.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-j7f2-cqvq-5jcf
Finding: F100
Auto approve: 1