CVE-2021-46366: 
Java vulnerability analysis and mitigation

An issue in the Login page of Magnolia CMS v6.2.3 and below allows attackers to exploit both an Open Redirect vulnerability and Cross-Site Request Forgery (CSRF) in order to brute force and exfiltrate users' credentials. The vulnerability was discovered in February 2022 and assigned CVE-2021-46366 (NVD).

The vulnerability combines two security issues: 1) An Open Redirect vulnerability via the 'mgnlReturnTo' GET parameter on the login page that triggers on successful login, and 2) A lack of CSRF protection on the login form. The vulnerability has a CVSS v3.1 Base Score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD).

By exploiting this vulnerability, attackers can use a victim with access to the Magnolia Login page to bruteforce potential user-password combinations and exfiltrate any valid credentials back to the attacker. This attack can be used to hide the attacker's source IP from the Magnolia server or bypass IP restrictions (GitHub).

The vulnerability has been patched in Magnolia CMS version 6.2.4. The vendor's security advisory and fix details are available in the release notes. Users should upgrade to version 6.2.4 or later to address this vulnerability (Release Notes).