The next parameter in the /accounts/login endpoint of Seafile 9.0.6 allows malicious users to redirect users to arbitrary sites.
seafile seafile 9.0.6