dotCMS needs to ensure application cannot redirect to external sites and Redirects using the referer parameter need to be checked against a lookup table of known-pages for redirection. 

It is possible to utilise the application to redirect a user's browser to an external web site. This could potentially enable an attacker to trick a user into accessing a hostile web site which could be used to recover their logon credentials. The application was discovered to redirect users to alternative pages based upon the value passed in the referer HTTP GET parameter. The vulnerable script and parameter are listed here:

http://[[hostname]]/html/portlet/ext/common/sub_nav_refresh_host.jsp?referer=http://www.google.com

It is recommended that the application code be rewritten so that it is not possible to redirect to external sites. To accomplish this it is recommended that a look-up table be used server-side so that specific user input can be mapped to individual pages for the redirection.

Update the affected JSP sub_nav_refresh_host.jsp and strip the host out of the passed in referer.  This jsp can be overridden by a plugin.

• https://github.com/dotCMS/dotCMS/issues/3070