CVE-2024-26318: 
JavaScript vulnerability analysis and mitigation

Serenity before version 6.8.0 contains a Cross-Site Scripting (XSS) vulnerability in the LoginPage.tsx component. The vulnerability exists because the component permits return URLs that do not begin with a forward slash (/) character, potentially allowing malicious exploitation through email links (NVD, Release Notes).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 6.1 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). The security flaw specifically relates to the handling of return URLs in the LoginPage.tsx component, where the application fails to properly validate that return URLs begin with a forward slash character (NVD).

If exploited, this vulnerability could allow attackers to execute cross-site scripting attacks through specially crafted email links, potentially leading to unauthorized access to user data or session hijacking (NVD).

The vulnerability has been fixed in Serenity version 6.8.0. The security fix implements a defensive check in LoginPage.tsx to only accept return URLs that begin with a forward slash (/). Users should upgrade to version 6.8.0 or later to address this security issue (Release Notes).

The security researcher Tasfaout Abderrahim was credited for discovering and reporting this security vulnerability to the Serenity team (Release Notes).