| 제목 | https://github.com/jeecgboot/JeecgBoot JeecgBoot v3.9.2 Open Redirect |
|---|
| 설명 | JeecgBoot v3.9.2 contains an Open Redirect vulnerability in the OAuth2 login flow. The state parameter in /sys/thirdLogin/oauth2/{source}/login and /sys/thirdLogin/oauth2/{source}/callback is user-controlled and passed directly to HttpServletResponse.sendRedirect() without validation.
An attacker can exploit this to redirect users to arbitrary URLs. In the OAuth2 callback flow, the victim's JWT token is appended to the redirect URL, which may lead to token leakage and account takeover. |
|---|
| 원천 | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9639 |
|---|
| 사용자 | mukyuuhate (UID 93052) |
|---|
| 제출 | 2026. 05. 22. AM 08:30 (18 날 ago) |
|---|
| 모더레이션 | 2026. 06. 07. PM 03:48 (16 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 369122 [JeecgBoot 까지 3.9.2 Third-Party Login ThirdLoginController.java HttpServletResponse.sendRedirect state] |
|---|
| 포인트들 | 20 |
|---|