Unrated severityNVD Advisory· Published Oct 23, 2019· Updated Aug 5, 2024

CVE-2019-18350

Description

In Ant Design Pro 4.0.0, reflected XSS in the user/login redirect GET parameter affects the authorization component, leading to execution of JavaScript code in the login after-action script.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS in Ant Design Pro 4.0.0 via the login redirect parameter allows execution of arbitrary JavaScript after login.

Vulnerability

Ant Design Pro version 4.0.0 contains a reflected cross-site scripting (XSS) vulnerability in the authorization component. The redirect GET parameter in the /user/login endpoint is not sanitized, allowing an attacker to inject a malicious javascript: URI. When a victim visits a crafted URL such as https://preview.pro.ant.design/user/login?redirect=javascript:alert(1);//, the injected JavaScript executes after the login action completes [1].

Exploitation

An attacker can exploit this vulnerability by tricking a victim into clicking a specially crafted link that includes a malicious redirect parameter. No authentication or special network position is required; the victim simply needs to be logged into the application or to complete the login process after clicking the link. The attacker's payload is reflected in the page and executed in the context of the victim's session [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript code in the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information, depending on the attacker's payload. The attack is limited to the scope of the victim's session and the actions available to the logged-in user [1].

Mitigation

The vulnerability was fixed in Ant Design Pro pull request #5461, which restricts redirects to the self-origin site only. Users should update to a patched version (at least the commit included in that pull request) or apply the fix manually. No known workaround is available for version 4.0.0 without applying the patch [1].

References

Fix: Reflected XSS Vulnerability in login after-action script by NSTikhomirov · Pull Request #5461 · ant-design/ant-design-pro

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Ant Design/Ant Design Prodescription
ant-design/Ant Design Prollm-create
Range: =4.0.0

Patches

840034ca90a6

FIX: Reflected XSS Vulnerability in login after-action script

https://github.com/ant-design/ant-design-proNikita TikhomirovOct 21, 2019via osv

commit PR #5461

1 file changed · +1 −1

src/models/login.ts+1 −1 modified

@@ -53,7 +53,7 @@ const Model: LoginModelType = {
               redirect = redirect.substr(redirect.indexOf('#') + 1);
             }
           } else {
-            window.location.href = redirect;
+            window.location.href = '/';
             return;
           }
         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/ant-design/ant-design-pro/pull/5461mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000