Summary In the latest version 6.0.0, the OAuth logout functionality performs a URL redirect action when clearing tokens. However, this parameter is user-controllable and lacks security validation, allowing attackers to exploit this vulnerability to launch phishing and other attacks against users. Details src/main/java/com/central/oauth/handler/OauthLogoutSuccessHandler.java “` public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException { if (securityProperties.getAuth().getUnifiedLogout()) { unifiedLogoutService.allLogout(); } String redirectUri = request.getParameter(REDIRECT_URL); if (StrUtil.isNotEmpty(redirectUri)) { //重定向指定的地址 redirectStrategy.sendRedirect(request, response, redirectUri); } else { ResponseUtil.responseWriter(objectMapper, response, "登出成功", 0); } } “` POC…Read More