Central Dogma Open Redirect Vulnerability Allowing Phishing Attacks

An open redirect vulnerability has been identified in Central Dogma versions prior to 0.78.0. This vulnerability allows attackers to redirect users to untrusted sites through specially crafted URLs, potentially leading to phishing attacks and credential theft. The issue is present in the Central Dogma server when using Shiro authentication.

Impact

Exploitation of this vulnerability could allow an attacker to create a malicious link that redirects a victim to a phishing website mimicking the legitimate Central Dogma login page, potentially compromising user accounts and allowing unauthorized access to the Central Dogma instance.

Remediation

Central Dogma version 0.78.0 addresses this vulnerability. Server operators using Central Dogma with Shiro authentication are strongly encouraged to upgrade to this version or later. As a workaround, the 'AuthProvider' can be implemented to override the 'webLoginService()'.