Severity: High Vendor: The Apache Software Foundation
Versions Affected: Apache Sling Authentication Service 1.4.0 Description: A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method allows an attacker, through the Sling login form, to trick a victim to send over their credentials. Mitigation: Users should upgrade to version 1.4.2 or later of the Apache Sling Authentication Service module Credit: François Lajeunesse-Robert
