CVE-2013-4390 — Apache Sling Auth Core bundle vulnerable to Open Redirection

Description

Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the resource parameter, related to "a custom login form and XSS."

How to fix CVE-2013-4390

To remediate CVE-2013-4390, upgrade the affected package to a fixed version below.

—upgrade to 1.1.4 or later

Is CVE-2013-4390 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.1.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-4390
PATCHgithub.com/apache/sling-org-apache-sling-auth-core
WEBmail-archives.apache.org/mod_mbox/sling-dev/201310.mbox/%3CCAKkCf4qdFxEW9NXBJoMsrBama8LFNyir%2B61A0Vfzp4njEpeU%3Dw%40mail.gmail.com%3E
WEBsecunia.com/advisories/55249