CVE-2023-0748: Open Redirect on "returnUrl=" parameter in btcpayserver

Description

Hello Team while testing the “returnUrl=” parameter on login page it was not vulnerable, but I found another way to get Open Redirect with that parameter

Proof of Concept

Here is the Video POC of this vulnerability
https://drive.google.com/file/d/1UNnRv-E0bwcWWSFSOSDLoTGEdkH4cIKd/view?usp=sharing

Step to Reproduce:

1. Login your account on https://mainnet.demo.btcpayserver.org/login

2. Click the link below

https://mainnet.demo.btcpayserver.org/recovery-seed-backup?cryptoCode=BTC&mnemonic=above&passphrase=&isStored=false&requireConfirm=true&returnUrl=//evil.com

3. Check the “I have written down my recovery phrase and stored it in a secure location”

4. Then click Done

5. You will be redirected to evil.com

Impact

An open redirect vulnerability exists in the affected products. An attacker could trick a validly authenticated user on the device into clicking a malicious link on the device, resulting in phishing attacks.