Lovable VDP: Bypass of Open Redirect Fix on lovable.dev via /..// Path Traversal in redirect parameter

A bypass was discovered for a previously patched open redirect vulnerability on a web application. The original fix blocked certain payloads, but failed to account for path traversal sequences combined with double slashes. By supplying a specific redirect value, an attacker could still redirect...

Lovable VDP: Open Redirect on lovable.dev via redirect parameter leads to phishing attacks

An open redirect vulnerability was discovered on the website lovable.dev. After logging in, a request was sent to a URL with a 'redirect' parameter. By supplying a backslash-prefixed value for the 'redirect' parameter, the user could be redirected to an external domain. This vulnerability could...