An issue in the Login page of Magnolia CMS v6.2.3 and below allows attackers to exploit both an Open Redirect vulnerability and Cross-Site Request Forgery (CSRF) in order to brute force and exfiltrate users' credentials.
The vendor's disclosure and fix for this vulnerability can be found here.
This vulnerability requires:
- Convincing a user to access the malicious CSRF HTML page
More details and the exploitation process can be found in this PDF.