Open siepkes opened 6 years ago
The issue is with handling goto
and gotoOnFail
parameters. There are 2 affected components: RESTLoginView
and CommonConfig
(part of Commons UI project).
I can see that latest updates to UI (maybe together with introduction of React) introduced special gotoUrl
component, but that is just a parameter wrapper without any sanitization / validation logic.
TL;DR This issue applies to us.
Since we share a common heritage with OpenAM the issue described here as "Issue #201801-04: Open Redirect" probably affects wren:AM too.
We need to evaluate if and how this issue affects wren:AM and fix it.