Total
966 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-26156 | 1 Cherwell | 1 Cherwell Service Management | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. Injection of a malicious payload within the RelayState= parameter of the HTTP request body results in the hijacking of the form action. Form-action hijacking vulnerabilities arise when an application places user-supplied input into the action URL of an HTML form. An attacker can use this vulnerability to construct a URL that, if visited by another application user, will modify the action URL of a form to point to the attacker's server. | |||||
| CVE-2022-26950 | 1 Rsa | 1 Archer | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| Archer 6.x through 6.9 P2 (6.9.0.2) is affected by an open redirect vulnerability. A remote unprivileged attacker may potentially redirect legitimate users to arbitrary web sites and conduct phishing attacks. The attacker could then steal the victims' credentials and silently authenticate them to the Archer application without the victims realizing an attack occurred. | |||||
| CVE-2022-1058 | 1 Gitea | 1 Gitea | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open Redirect on login in GitHub repository go-gitea/gitea prior to 1.16.5. | |||||
| CVE-2022-23618 | 1 Xwiki | 1 Xwiki | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is no protection against URL redirection to untrusted sites, in particular some well known parameters (xredirect) can be used to perform url redirections. This problem has been patched in XWiki 12.10.7 and XWiki 13.3RC1. Users are advised to update. There are no known workarounds for this issue. | |||||
| CVE-2022-24739 | 1 Alltube Project | 1 Alltube | 2024-02-04 | 4.0 MEDIUM | 6.1 MEDIUM |
| alltube is an html front end for youtube-dl. On releases prior to 3.0.3, an attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack (depending on how AllTube is configured). The impact is mitigated by the fact the SSRF attack is only possible when the `stream` option is enabled in the configuration. (This option is disabled by default.) 3.0.3 contains a fix for this vulnerability. | |||||
| CVE-2022-0869 | 1 Spirit-project | 1 Spirit | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| Multiple Open Redirect in GitHub repository nitely/spirit prior to 0.12.3. | |||||
| CVE-2022-27463 | 1 Wwbn | 1 Avideo | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a crafted url to the login page. | |||||
| CVE-2021-44054 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later | |||||
| CVE-2022-29214 | 1 Nextauth.js | 1 Next-auth | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this issue. The maintainers recommend adding a certain configuration to one's `callbacks` option as a workaround for those unable to upgrade. | |||||
| CVE-2022-0697 | 1 Archivy Project | 1 Archivy | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open Redirect in GitHub repository archivy/archivy prior to 1.7.0. | |||||
| CVE-2022-20794 | 1 Cisco | 2 Roomos, Telepresence Collaboration Endpoint | 2024-02-04 | 4.3 MEDIUM | 4.7 MEDIUM |
| Multiple vulnerabilities in the web engine of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow a remote attacker to cause a denial of service (DoS) condition, view sensitive data on an affected device, or redirect users to an attacker-controlled destination. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2022-23798 | 1 Joomla | 1 Joomla\! | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not. | |||||
| CVE-2021-41180 | 1 Nextcloud | 1 Talk | 2024-02-04 | 4.0 MEDIUM | 6.1 MEDIUM |
| Nextcloud talk is a self hosting messaging service. In versions prior 12.1.2 an attacker is able to control the link of a geolocation preview in the Nextcloud Talk application due to a lack of validation on the link. This could result in an open-redirect, but required user interaction. This only affected users of the Android Talk client. It is recommended that the Nextcloud Talk App is upgraded to 12.1.2. There are no known workarounds. | |||||
| CVE-2021-3654 | 2 Openstack, Redhat | 2 Nova, Openstack Platform | 2024-02-04 | 4.0 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL. | |||||
| CVE-2022-1209 | 1 Ultimatemember | 1 Ultimate Member | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| The Ultimate Member plugin for WordPress is vulnerable to open redirects due to insufficient validation on supplied URLs in the social fields of the Profile Page, which makes it possible for attackers to redirect unsuspecting victims in versions up to, and including, 2.3.1 granted the victim clicks on a social icon on a user's profile page. | |||||
| CVE-2020-26877 | 1 Apifest | 1 Oauth 2.0 Server | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| ApiFest OAuth 2.0 Server 0.3.1 does not validate the redirect URI in accordance with RFC 6749 and is susceptible to an open redirector attack. Specifically, it directly sends an authorization code to the redirect URI submitted with the authorization request, without checking whether the redirect URI is registered by the client who initiated the request. This allows an attacker to craft a request with a manipulated redirect URI (redirect_uri parameter), which is under the attacker's control, and consequently obtain the leaked authorization code when the server redirects the client to the manipulated redirect URI with an authorization code. NOTE: this is similar to CVE-2019-3778. | |||||
| CVE-2022-30992 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect via user-controlled query parameter. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 29240 | |||||
| CVE-2022-1254 | 1 Mcafee | 1 Web Gateway | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| A URL redirection vulnerability in Skyhigh SWG in main releases 10.x prior to 10.2.9, 9.x prior to 9.2.20, 8.x prior to 8.2.27, and 7.x prior to 7.8.2.31, and controlled release 11.x prior to 11.1.3 allows a remote attacker to redirect a user to a malicious website controlled by the attacker. This is possible because SWG incorrectly creates a HTTP redirect response when a user clicks a carefully constructed URL. Following the redirect response, the new request is still filtered by the SWG policy. | |||||
| CVE-2022-22797 | 1 Sysaid | 1 Sysaid | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| Sysaid – sysaid Open Redirect - An Attacker can change the redirect link at the parameter "redirectURL" from"GET" request from the url location: /CommunitySSORedirect.jsp?redirectURL=https://google.com. Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. | |||||
| CVE-2022-29170 | 1 Grafana | 1 Grafana | 2024-02-04 | 4.9 MEDIUM | 8.5 HIGH |
| Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to versions 7.5.16 and 8.5.3 allows someone to bypass these security configurations if a malicious datasource (running on an allowed host) returns an HTTP redirect to a forbidden host. The vulnerability only impacts Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource to Grafana which returns HTTP redirects. In this scenario, Grafana would blindly follow the redirects and potentially give secure information to the clients. Grafana Cloud is not impacted by this vulnerability. Versions 7.5.16 and 8.5.3 contain a patch for this issue. There are currently no known workarounds. | |||||