The application redirects users to URLs specified in user-controllable input without proper validation, enabling phishing attacks.
Attackers can craft links that appear legitimate but redirect users to malicious sites for credential theft or malware distribution.
Implement URL allowlisting for redirects. Use indirect references instead of full URLs. Validate redirect targets against a list of allowed domains. Warn users before redirecting to external sites.