-
Bug
-
Resolution: Won't Fix
-
Major
-
None
-
None
-
None
-
3.6M6
How to reproduce
- disable the "ignore browser test" in _admin of the back-office
- access to the back-office with an unknown browser
Actual behavior
- A page is displayed with a message to explain that this browser is not compatible
- the parameter URI is available in the adress bar
- the parameter is used without any control to create the redirection link on the button to force access, this is an XSS security flaw
I don't think this is true
If it was true, any login page (that include redirection) will be a security hole... such as CAS?
Whatever, in v4 this does not exists anymore