Search
Total
631 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-6780 | 1 Kaine | 1 Wise Chat | 2019-01-28 | 5.8 MEDIUM | 6.1 MEDIUM |
| The Wise Chat plugin before 2.7 for WordPress mishandles external links because rendering/filters/post/WiseChatLinksPostFilter.php omits noopener and noreferrer. | |||||
| CVE-2018-16174 | 1 Thimpress | 1 Learnpress | 2019-01-11 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2018-12675 | 1 Sv3c | 4 H.264 Poe Ip Camera Firmware, Sv-b01poe-1080p-l, Sv-b11vpoe-1080p-l and 1 more | 2019-01-11 | 5.8 MEDIUM | 6.1 MEDIUM |
| The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) does not perform origin checks on URLs that the camera's web interface redirects a user to. This can be leveraged to send a user to an unexpected endpoint. | |||||
| CVE-2018-17870 | 1 Btiteam | 1 Xbtit | 2019-01-08 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in BTITeam XBTIT 2.5.4. The "returnto" parameter of account_change.php is vulnerable to an open redirect, a different vulnerability than CVE-2018-15683. | |||||
| CVE-2018-11067 | 2 Dell, Vmware | 3 Emc Avamar, Emc Integrated Data Protection Appliance, Vsphere Data Protection | 2019-01-02 | 5.8 MEDIUM | 6.1 MEDIUM |
| Dell EMC Avamar Client Manager in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1, 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2 contain an open redirection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites. | |||||
| CVE-2018-7804 | 1 Schneider-electric | 8 Modicom Bmxnor0200h, Modicom Bmxnor0200h Firmware, Modicom M340 and 5 more | 2018-12-28 | 5.8 MEDIUM | 6.1 MEDIUM |
| A URL Redirection to Untrusted Site vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where a user clicking on a specially crafted link can be redirected to a URL of the attacker's choosing. | |||||
| CVE-2018-17948 | 1 Microfocus | 1 Access Manager | 2018-12-26 | 5.8 MEDIUM | 6.1 MEDIUM |
| An open redirect vulnerability exists in the Access Manager Identity Provider prior to 4.4 SP3. | |||||
| CVE-2018-16954 | 1 Oracle | 1 Webcenter Interaction | 2018-12-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The login function of the portal is vulnerable to insecure redirection (also called an open redirect). The in_hi_redirect parameter is not validated by the application after a successful login. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support. | |||||
| CVE-2018-2476 | 1 Sap | 1 Netweaver | 2018-12-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| Due to insufficient URL Validation in forums in SAP NetWeaver versions 7.30, 7.31, 7.40, an attacker can redirect users to a malicious site. | |||||
| CVE-2018-13401 | 1 Atlassian | 1 Jira | 2018-12-03 | 5.8 MEDIUM | 6.1 MEDIUM |
| The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allows remote attackers to obtain a user's Cross-site request forgery (CSRF) token through an open redirect vulnerability. | |||||
| CVE-2018-13402 | 1 Atlassian | 1 Jira | 2018-12-03 | 5.8 MEDIUM | 6.1 MEDIUM |
| Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability. | |||||
| CVE-2018-5548 | 1 F5 | 1 Big-ip Access Policy Manager | 2018-12-03 | 5.8 MEDIUM | 6.1 MEDIUM |
| On BIG-IP APM 11.6.0-11.6.3, an insecure AES ECB mode is used for orig_uri parameter in an undisclosed /vdesk link of APM virtual server configured with an access profile, allowing a malicious user to build a redirect URI value using different blocks of cipher texts. | |||||
| CVE-2018-15493 | 1 Vbulletin | 1 Vbulletin | 2018-11-30 | 5.8 MEDIUM | 6.1 MEDIUM |
| vBulletin 5.4.3 has an Open Redirect. | |||||
| CVE-2018-17074 | 1 Feed Statistics Project | 1 Feed Statistics | 2018-11-23 | 5.8 MEDIUM | 6.1 MEDIUM |
| The Feed Statistics plugin before 4.0 for WordPress has an Open Redirect via the feed-stats-url parameter. | |||||
| CVE-2018-14398 | 1 Cremecrm | 1 Cremecrm | 2018-11-14 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Creme CRM 1.6.12. The value of the cancel button uses the content of the HTTP Referer header, and could be used to trick a user into visiting a fake login page in order to steal credentials. | |||||
| CVE-2017-15419 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2018-11-07 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in Resource Timing API in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to infer browsing history by triggering a leaked cross-origin URL via a crafted HTML page. | |||||
| CVE-2018-16761 | 1 Eventum Project | 1 Eventum | 2018-11-06 | 5.8 MEDIUM | 6.1 MEDIUM |
| Eventum before 3.4.0 has an open redirect vulnerability. | |||||
| CVE-2018-15683 | 1 Btiteam | 1 Xbtit | 2018-11-06 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in BTITeam XBTIT. The "returnto" parameter of the login page is vulnerable to an open redirect due to a lack of validation. If a user is already logged in when accessing the page, they will be instantly redirected. | |||||
| CVE-2018-14474 | 1 Goodoldweb | 1 Orange Forum | 2018-10-29 | 5.8 MEDIUM | 6.1 MEDIUM |
| views/auth.go in Orange Forum 1.4.0 allows Open Redirection via the next parameter to /login or /signup. | |||||
| CVE-2017-7233 | 1 Djangoproject | 1 Django | 2018-10-17 | 5.8 MEDIUM | 6.1 MEDIUM |
| Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack. | |||||
| CVE-2018-7091 | 1 Hp | 1 Xp 9000 Command View | 2018-10-10 | 5.8 MEDIUM | 6.1 MEDIUM |
| HPE XP P9000 Command View Advanced Edition Software (CVAE) has open URL redirection vulnerability in versions 7.0.0-00 to earlier than 8.60-00 of DevMgr, TSMgr and RepMgr. | |||||
| CVE-2016-7137 | 1 Plone | 1 Plone | 2018-10-09 | 5.8 MEDIUM | 6.1 MEDIUM |
| Multiple open redirect vulnerabilities in Plone CMS 5.x through 5.0.6, 4.x through 4.3.11, and 3.3.x through 3.3.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter to (1) %2b%2bgroupdashboard%2b%2bplone.dashboard1%2bgroup/%2b/portlets.Actions or (2) folder/%2b%2bcontextportlets%2b%2bplone.footerportlets/%2b /portlets.Actions or the (3) came_from parameter to /login_form. | |||||
| CVE-2015-4668 | 1 Xceedium | 1 Xsuite | 2018-10-09 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in Xsuite 2.4.4.5 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirurl parameter. | |||||
| CVE-2015-5054 | 1 Ellucian | 1 Banner Student | 2018-10-09 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in Ellucian (formerly SunGard) Banner Student 8.5.1.2 through 8.7 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in an unspecified parameter. | |||||
| CVE-2018-15178 | 1 Gogs | 1 Gogs | 2018-10-05 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go. | |||||
| CVE-2018-14381 | 1 Pagekit | 1 Pagekit | 2018-09-14 | 5.8 MEDIUM | 6.1 MEDIUM |
| Pagekit before 1.0.14 has a /user/login?redirect= open redirect vulnerability. | |||||
| CVE-2013-0594 | 1 Ibm | 1 Inotes | 2018-09-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in IBM iNotes before 8.5.3 Fix Pack 6 and 9.x before 9.0.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. IBM X-Force ID: 83383. | |||||
| CVE-2018-11041 | 1 Pivotal Software | 2 Cloud Foundry Uaa, Cloud Foundry Uaa-release | 2018-08-23 | 5.8 MEDIUM | 6.1 MEDIUM |
| Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redirects. A remote attacker can craft a malicious link that, when clicked, will redirect users to arbitrary websites after a successful login attempt. | |||||
| CVE-2017-5389 | 1 Mozilla | 1 Firefox | 2018-08-07 | 5.8 MEDIUM | 6.1 MEDIUM |
| WebExtensions could use the "mozAddonManager" API by modifying the CSP headers on sites with the appropriate permissions and then using host requests to redirect script loads to a malicious site. This allows a malicious extension to then install additional extensions without explicit user permission. This vulnerability affects Firefox < 51. | |||||
| CVE-2015-8094 | 1 Cloudera | 1 Hue | 2018-07-02 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in Cloudera HUE before 3.10.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the next parameter. | |||||
| CVE-2018-10651 | 1 Citrix | 1 Xenmobile Server | 2018-06-25 | 5.8 MEDIUM | 6.1 MEDIUM |
| There are Open Redirect Vulnerabilities in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3. | |||||
| CVE-2018-11119 | 1 Ilias | 1 Ilias | 2018-06-15 | 5.8 MEDIUM | 6.1 MEDIUM |
| ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 redirects a logged-in user to a third-party site via the return_to_url parameter. | |||||
| CVE-2018-1000174 | 1 Jenkins | 1 Google Login | 2018-06-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| An open redirect vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows attackers to redirect users to an arbitrary URL after successful login. | |||||
| CVE-2018-5304 | 1 Impinj | 2 R420 Rfid Reader, R420 Rfid Reader Firmware | 2018-06-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| An issue was discovered on the Impinj Speedway Connect R420 RFID Reader before 2.2.2. The affected web interface is vulnerable to ClickJacking or UI Redressing: it is possible to access the web application in an iframe, and clicking on the iframe will redirect to a third-party application or perform other malicious actions. | |||||
| CVE-2018-1248 | 1 Rsa | 1 Authentication Manager | 2018-06-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| RSA Authentication Manager Security Console, Operation Console and Self-Service Console, version 8.3 and earlier, is affected by a Host header injection vulnerability. This could allow a remote attacker to potentially poison HTTP cache and subsequently redirect users to arbitrary web domains. | |||||
| CVE-2017-18262 | 1 Blackboard | 1 Blackboard Learn | 2018-06-12 | 5.8 MEDIUM | 6.1 MEDIUM |
| Blackboard Learn (Since at least 17th of October 2017) has allowed Unvalidated Redirects on any signed-in user through its endpoints for handling Shibboleth logins, as demonstrated by a webapps/bb-auth-provider-shibboleth-BBLEARN/execute/shibbolethLogin?returnUrl= URI. | |||||
| CVE-2018-10678 | 1 Mybb | 1 Mybb | 2018-06-05 | 5.8 MEDIUM | 6.1 MEDIUM |
| MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks. | |||||
| CVE-2017-5571 | 1 Flexerasoftware | 1 Flexnet Publisher | 2018-05-30 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2018-10100 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2018-05-18 | 5.8 MEDIUM | 6.1 MEDIUM |
| Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. | |||||
| CVE-2017-0364 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2018-05-14 | 5.8 MEDIUM | 6.1 MEDIUM |
| Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where Special:Search allows redirects to any interwiki link. | |||||
| CVE-2017-0363 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2018-05-14 | 5.8 MEDIUM | 6.1 MEDIUM |
| Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sites. | |||||
| CVE-2018-8813 | 1 Wolfcms | 1 Wolf Cms | 2018-05-10 | 4.9 MEDIUM | 4.8 MEDIUM |
| Open redirect vulnerability in the login[redirect] parameter login functionality in WolfCMS 0.8.3.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL. | |||||
| CVE-2016-0204 | 1 Ibm | 1 Cloud Orchestrator | 2018-05-02 | 5.8 MEDIUM | 6.8 MEDIUM |
| Open redirect vulnerability in IBM Cloud Orchestrator 2.4.x before 2.4.0 FP3 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2018-8937 | 1 Open-audit | 1 Open-audit | 2018-04-20 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Open-AudIT Professional 2.1. It is possible to inject a malicious payload in the redirect_url parameter to the /login URI to trigger an open redirect. A "data:text/html;base64," payload can be used with JavaScript code. | |||||
| CVE-2018-1220 | 1 Emc | 1 Rsa Archer | 2018-03-26 | 5.8 MEDIUM | 6.1 MEDIUM |
| EMC RSA Archer, versions prior to 6.2.0.8, contains a redirect vulnerability in the QuickLinks feature. A remote attacker may potentially exploit this vulnerability to redirect genuine users to phishing websites with the intent of obtaining sensitive information from the users. | |||||
| CVE-2017-6932 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2018-03-22 | 5.8 MEDIUM | 4.7 MEDIUM |
| Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site. | |||||
| CVE-2018-6324 | 1 F-secure | 1 Radar | 2018-03-15 | 5.8 MEDIUM | 6.1 MEDIUM |
| F-Secure Radar (on-premises) before 2018-02-15 has an Unvalidated Redirect via the ReturnUrl parameter that triggers upon a user login. | |||||
| CVE-2017-8945 | 1 Hp | 1 Icewall Federation Agent | 2018-03-12 | 5.8 MEDIUM | 6.1 MEDIUM |
| A Remote Unauthorized Disclosure of Information vulnerability in HPE IceWall Federation Agent version 3.0 was found. | |||||
| CVE-2017-18178 | 1 Progress | 1 Sitefinity | 2018-03-05 | 5.8 MEDIUM | 6.1 MEDIUM |
| Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target, if the target is specified using a certain %40 syntax. This is fixed in 10.1. | |||||
| CVE-2016-0329 | 1 Ibm | 1 Emptoris Sourcing | 2018-02-16 | 4.9 MEDIUM | 5.4 MEDIUM |
| Open redirect vulnerability in IBM Emptoris Sourcing 10.0.0.x before 10.0.0.1_iFix3, 10.0.1.x before 10.0.1.3_iFix3, 10.0.2.x before 10.0.2.8_iFix1, 10.0.4.0 before 10.0.4.0_iFix8, and 10.1.0.0 before 10.1.0.0_iFix3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. IBM X-Force ID: 111692. | |||||