### Impact The `getLoginRedirect()` method contains a weakness to backslash bypasses allowing redirect targets with attacker controlled hostnames. ### Patches 3.3.6 and 4.1.1 contain a fix for this issue. ### Workarounds If you are unable to upgrade, you should consider adding application validation to the redirect query string parameter to mitigate this vulnerability.
Get alerted for CVEs like this
Register your stack and get notified within minutes when a matching CVE drops.
Start monitoring free