CVE-2013-4390

Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the resource parameter, related to "a custom login form and XSS."

Published: Oct 24, 2013
Updated: Apr 13, 2023
CVE: CVE-2013-4390
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
apache / sling_auth_core_component	-	1.1.2.x
apache / sling_auth_core_component	1.0.6	1.0.6.x
apache / sling_auth_core_component	1.0.4	1.0.4.x
apache / sling_auth_core_component	1.1.0	1.1.0.x
apache / sling_auth_core_component	1.0.2	1.0.2.x
apache / sling	-	-

http://mail-archives.apache.org/mod_mbox/sling-dev/201310.mbox/%3CCAKkCf4qdFxEW9NXBJoMsrBama8LFNyir%2B61A0Vfzp4njEpeU%3Dw%40mail.gmail.com%3E
http://secunia.com/advisories/55249
http://www.securityfocus.com/bid/63241
https://issues.apache.org/jira/browse/SLING-3141

Vulnerability Database

290,206

CVE-2013-4390