Sitefinity 9.2 has a system page /Sitefinity/Status page with ReturnUrl parameter. It's being shown during application restart, but not only - this page works anytime.
I noticed that this parameter represents open redirect vulnerability. ReturnUrl is not validated. One can pass any website URL as ReturnUrl parameter - and Sitefinity will redirect it.
For example /Sitefinity/status?ReturnUrl=http://www.spam.com will redirect to http://www.spam.com
So anytime phisher can post an URL based on domain of Sitefinity-based website, but this URL will immediately redirect to other website.
There is no option to switch this redirect off. Modifying HTML of application status page will affect only startup screen but won't affect redirection when site is running. Denying access to /Sitefinity/status page will cause other users see server error page until website start up.
We invented a dirty workaround: programmatically override route and palmed off our own HTTP handler. But fact is fact: there is a vulnerability that is presented by default on all Sitefinity systems.