| Vulnerability Name: | CVE-2013-4390 (CCN-88165) | ||||||||||||
| Assigned: | 2013-10-20 | ||||||||||||
| Published: | 2013-10-20 | ||||||||||||
| Updated: | 2013-10-25 | ||||||||||||
| Summary: | Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the resource parameter, related to "a custom login form and XSS." | ||||||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||||||
| CVSS v2 Severity: | 5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N) 4.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||||||
| Vulnerability Type: | CWE-20 | ||||||||||||
| Vulnerability Consequences: | Other | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2013-4390 Source: MLIST Type: Vendor Advisory [sling-dev] 20131020 CVE-2013-4390: Apache Sling open redirect on login Source: CCN Type: sling-users mailing list archives, Sun, 20 Oct 2013 14:34:25 GMT CVE-2013-4390: Apache Sling open redirect on login Source: CCN Type: SA55249 Apache Sling Auth Core Component "resource" Open Redirection Weakness Source: SECUNIA Type: Vendor Advisory 55249 Source: CCN Type: Apache Web site Apache Sling Source: BID Type: UNKNOWN 63241 Source: CCN Type: BID-63241 Apache Sling 'AbstractAuthenticationFormServlet' Open Redirection Vulnerability Source: XF Type: UNKNOWN apache-sling-cve20134390-open-redirect(88165) Source: CONFIRM Type: UNKNOWN https://issues.apache.org/jira/browse/SLING-3141 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||||||
| Oval Definitions | |||||||||||||
| |||||||||||||
| BACK | |||||||||||||