Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2015-012: External redirection risk in Security?ReturnURL

Medium (?)
Versions Affected:
3.0.13 and below, 3.1.0 to 3.1.13-rc1
Versions Fixed:
3.0.14, 3.1.13
Release Date:

A vulnerability has been found in the SilverStripe framework where a login url can be potentially redirected to an external site.

For example, the url\ will redirect successful logins to the page If that website were set up to look identical to the first with "login failed" then the user will likely just enter their user/pass again.

Common Vulnerability Scoring System (CVSS) Information

Credit to Matt Lang for reporting this issue.