[HIGH] Open redirect via double-encoded 'destination' parameter

PKSA-1tzq-2qs7-2bmg CVE-2016-3167 GHSA-gxwx-c7m8-f95h

Affected package: drupal/core

Affected version: >=8.0,<8.0.4

Reported by:
FriendsOfPHP/security-advisories, GitHub