Xuxueli XXL-SSO Open Redirect Vulnerability

An open redirect vulnerability has been identified in Xuxueli XXL-SSO version 1.1.0. The issue arises in the file '/xxl-sso-server/doLogin', where the 'redirect_url' parameter is not properly validated. This lack of validation allows for manipulation of the redirect URL, potentially leading victims to attacker-controlled sites and facilitating phishing attacks. The vulnerability can be exploited remotely and requires user interaction.

Impact

Exploitation of this vulnerability allows for open redirect, where users can be redirected to malicious sites, increasing the risk of phishing or social engineering attacks.

Reproduction

To reproduce this vulnerability, send a request to the '/xxl-sso-server/doLogin' endpoint with a manipulated 'redirect_url' parameter. The absence of proper validation will allow the application to redirect to the specified URL, which can be an external site controlled by an attacker.