Total
966 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-46886 | 2024-10-10 | N/A | 4.7 MEDIUM | ||
The web server of affected devices does not properly validate input that is used for a user redirection. This could allow an attacker to make the server redirect the legitimate user to an attacker-chosen URL. For a successful exploit, the legitimate user must actively click on an attacker-crafted link. | |||||
CVE-2024-0250 | 1 Deconf | 1 Analytics Insights | 2024-10-09 | N/A | 6.1 MEDIUM |
The Analytics Insights for Google Analytics 4 (AIWP) WordPress plugin before 6.3 is vulnerable to Open Redirect due to insufficient validation on the redirect oauth2callback.php file. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. | |||||
CVE-2023-3922 | 1 Gitlab | 1 Gitlab | 2024-10-08 | N/A | 7.1 HIGH |
An issue has been discovered in GitLab affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page. | |||||
CVE-2024-8148 | 2024-10-07 | N/A | 6.1 MEDIUM | ||
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 10.8.1 - 11.2 that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks. | |||||
CVE-2024-45247 | 2024-10-07 | N/A | 6.1 MEDIUM | ||
Sonarr – CWE-601: URL Redirection to Untrusted Site ('Open Redirect') | |||||
CVE-2024-47646 | 2024-10-07 | N/A | 4.7 MEDIUM | ||
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payflex Payflex Payment Gateway.This issue affects Payflex Payment Gateway: from n/a through 2.6.1. | |||||
CVE-2024-9329 | 1 Eclipse | 1 Glassfish | 2024-10-07 | N/A | 6.1 MEDIUM |
In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. | |||||
CVE-2024-47530 | 2024-10-04 | N/A | 5.4 MEDIUM | ||
Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lack of scheme validation, HTTPS Downgrade Attack can be performed on the users. This vulnerability is fixed in 4.89. | |||||
CVE-2024-9266 | 2024-10-04 | N/A | 4.7 MEDIUM | ||
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Express. This vulnerability affects the use of the Express Response object. This issue impacts Express: from 3.4.5 before 4.0.0. | |||||
CVE-2023-1279 | 1 Gitlab | 1 Gitlab | 2024-10-03 | N/A | 6.1 MEDIUM |
An issue has been discovered in GitLab affecting all versions starting from 4.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 where it was possible to create a URL that would redirect to a different project. | |||||
CVE-2024-7260 | 1 Redhat | 2 Build Of Keycloak, Keycloak | 2024-10-01 | N/A | 6.1 MEDIUM |
An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain. | |||||
CVE-2024-8883 | 1 Redhat | 6 Build Of Keycloak, Openshift Container Platform, Openshift Container Platform For Ibm Z and 3 more | 2024-10-01 | N/A | 6.1 MEDIUM |
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking. | |||||
CVE-2024-45981 | 2024-09-30 | N/A | 8.8 HIGH | ||
A host header injection vulnerability in BookReviewLibrary 1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. | |||||
CVE-2024-45979 | 2024-09-30 | N/A | 8.8 HIGH | ||
A host header injection vulnerability in Lines Police CAD 1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This allows attackers to arbitrarily reset other users' passwords and compromise their accounts. | |||||
CVE-2024-46331 | 2024-09-30 | N/A | 7.2 HIGH | ||
ModStartCMS v8.8.0 was discovered to contain an open redirect vulnerability in the redirect parameter at /admin/login. This vulnerability allows attackers to redirect users to an arbitrary website via a crafted URL. | |||||
CVE-2024-8761 | 1 Wp-unit | 1 Share This Image | 2024-09-27 | N/A | 6.1 MEDIUM |
The Share This Image plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.03. This is due to insufficient validation on the redirect url supplied via the link parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. | |||||
CVE-2024-34065 | 1 Strapi | 1 Strapi | 2024-09-26 | N/A | 8.1 HIGH |
Strapi is an open-source content management system. By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click). Unauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps. Users should upgrade @strapi/plugin-users-permissions to version 4.24.2 to receive a patch. | |||||
CVE-2024-8897 | 2 Google, Mozilla | 2 Android, Firefox | 2024-09-25 | N/A | 6.1 MEDIUM |
Under certain conditions, an attacker with the ability to redirect users to a malicious site via an open redirect on a trusted site, may be able to spoof the address bar contents. This can lead to a malicious site to appear to have the same URL as the trusted site. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox for Android < 130.0.1. | |||||
CVE-2024-4283 | 1 Gitlab | 1 Gitlab | 2024-09-24 | N/A | 6.1 MEDIUM |
An issue has been discovered in GitLab EE affecting all versions starting from 11.1 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow. | |||||
CVE-2024-37141 | 1 Dell | 1 Data Domain Operating System | 2024-09-23 | N/A | 3.5 LOW |
Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contain an open redirect vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to information disclosure. |