Glutamate

**Name of the Vulnerable Software and Affected Versions** Saltcorn versions prior to 1.4.6 Saltcorn versions prior to 1.5.6 Saltcorn versions prior to 1.6.0-beta.5 **Description** Saltcorn fails to properly validate the `dest` parameter during the post-login process. The `is relative url()` function only blocks strings containing `:/` and `//`, which allows payloads using backslashes (``) to bypass the check. Since WHATWG-compliant browsers normalize backslashes to forward slashes for special schemes, an attacker can craft a URL that redirects a user to an attacker-controlled domain after they log in. This can be used for credential phishing by redirecting users to a forged site. The issue is reachable on default installations and occurs when a victim is tricked into logging in via a crafted URL. The vulnerability involves the `is relative url()` function and the `dest` parameter. **Recommendations** Update to version 1.4.6. Update to version 1.5.6. Update to version 1.6.0-beta.5. As a temporary workaround, restrict or avoid using the `dest` parameter in login requests until the software is updated.