Ekta Mittal

**Name of the Vulnerable Software and Affected Versions** Cloudera Manager versions 5.x through 5.15.0 **Description** An issue in Cloudera Manager allows for potential cross-site scripting (XSS) due to the lack of validation of the `returnUrl` parameter. This parameter is used to redirect the user to another page in Cloudera Manager after completing a wizard. As a result, an attacker could redirect the user to an external site or execute malicious JavaScript functions. The fix involves restricting the `returnUrl` parameter to prevent external redirects, with exceptions for explicitly configured SAML Login/Logout URLs. **Recommendations** For Cloudera Manager versions 5.x through 5.15.0, update the software to a version that includes the fix, which restricts the `returnUrl` parameter to prevent external redirects, allowing only explicitly configured SAML Login/Logout URLs as exceptions.