CVE-2021-21337

Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an open redirect vulnerability. A maliciously crafted link to the login form and login functionality could redirect the browser to a different website. The problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1` and re-run the buildout, or if you used `pip` simply do `pip install "Products.PluggableAuthService>=2.6.1".

Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an open redirect vulnerability. A maliciously crafted link to the login form and login functionality could redirect the browser to a different website. The problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1` and re-run the buildout, or if you used `pip` simply do `pip install "Products.PluggableAuthService>=2.6.1".

Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an open redirect vulnerability. A maliciously crafted link to the login form and login functionality could redirect the browser to a different website. The problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1` and re-run the buildout, or if you used `pip` simply do `pip install "Products.PluggableAuthService>=2.6.1".

### Impact _What kind of vulnerability is it? Who is impacted?_ Open redirect vulnerability - a maliciously crafted link to the login form and login functionality could redirect the browser to a different website. ### Patches _Has the problem been patched? What versions should users upgrade to?_ The problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1` and re-run the buildout, or if you used `pip` simply do `pip install "Products.PluggableAuthService>=2.6.1"` ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ There is no workaround. Users are encouraged to upgrade. ### References _Are there any links users can visit to find out more?_ - [GHSA-p44j-xrqg-4xrr](https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr) - [Products.PluggableAuthService on PyPI](https://pypi.org/project/Products.PluggableAuthService/) - [OWASP page on open redirects](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) ### For more information If you have any questions or comments about this advisory: * Open an issue in the [Products.PluggableAuthService issue tracker](https://github.com/zopefoundation/Products.PluggableAuthService/issues) * Email us at [security@plone.org](mailto:security@plone.org)

Products.PluggableAuthService es un framework de autenticación y autorización de Zope conectable. En Products.PluggableAuthService versiones anteriores a 2.6.0, se presenta una vulnerabilidad de redireccionamiento abierto. Un enlace maliciosamente diseñado en el formulario de inicio de sesión y la funcionalidad login podría redireccionar el navegador a un sitio web diferente. El problema ha sido corregido en la versión 2.6.1. Dependiendo de cómo haya instalado Products.PluggableAuthService, debe cambiar el pin de la versión de compilación a "2.6.1" y volver a ejecutar la compilación, o si usó pip simplemente haga la instalación de pip "Products.PluggableAuthService versiones posteriores o iguales a 2.6.1"