Capital One Investing Open Redirect Vulnerability

You could pass any URL in the tl parameter of the Capital One Investing login page, and get redirected to any site on the Internet. An attacker could use this to redirect a user to an untrusted site, and potentially phish for users information.

This error has since been fixed.

For example:

If you were already logged in, you are automatically redirected to the URL in the tl parameter. An attacker could use this to present a URL for that immediately redirects to their phishing site.

More information about this class of vulnerability is available here: