Open-Redirect Vulnerabilty in Login URL Parameters
Package
saleor/react-storefront
(GitHub)
Affected versions
≤ ca86cd6433cd68426e28b028539c2fd8f4d496a6
Patched versions
>= c29aab226f07ca980cc19787dcef101e11b83ef7
The URL parameter
next
at/[channel]/[locale]/account/login/
in react-storefront has an open-redirect vulnerability which could be used to trick the user into disclosing sensitive information using phishing attacks or social engineeringtactics.
Patches
Workarounds
We recommend upgrading to the latest version as soon as possible. If unable, possible workarounds are:
next
parameter from login page (e.g. WAFs)References