An open redirect vulnerability exists on the /my/redirect.php page.
An attacker could use this vulnerability to redirect a victim to an untrusted website. This can be used to ease phishing attacks for example.
CVSSv3 score: 4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N)
One way to demonstrate the issue is to access to https://<tuleap_instance>/my/redirect.php?return_to=%2F%2Fexample.com , you will be redirect to example.com.
A first unsuccessful attempt at fixing the issue has been done in request #7744.
This vulnerability has been reported by RedTeam Pentesting GmbH.
Their advisory for this vulnerability is available here: RT-SA-2018-001
OWASP - Unvalidated Redirects and Forwards