mod_auth_mellon up to and including 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
mod auth mellon project mod auth mellon |
||
oracle zfs storage appliance kit 8.8 |
||
fedoraproject fedora 30 |
||
fedoraproject fedora 31 |
||
canonical ubuntu linux 18.04 |
||
canonical ubuntu linux 18.10 |