Vulnerabilities (CVE)

Filtered by CWE-601
Total 966 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-35133 1 Ibm 2 Security Verify Access, Security Verify Access Docker 2024-09-21 N/A 8.2 HIGH
IBM Security Verify Access 10.0.0 through 10.0.8 OIDC Provider could allow a remote authenticated attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
CVE-2024-24764 1 Octobercms 1 October 2024-09-19 N/A 4.8 MEDIUM
October is a self-hosted CMS platform based on the Laravel PHP Framework. This issue affects authenticated administrators who may be redirected to an untrusted URL using the PageFinder schema. The resolver for the page finder link schema (`october://`) allowed external links, therefore allowing an open redirect outside the scope of the active host. This vulnerability has been patched in version 3.5.15.
CVE-2024-36419 1 Salesagility 1 Suitecrm 2024-09-19 N/A 6.1 MEDIUM
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue.
CVE-2024-8646 1 Eclipse 1 Glassfish 2024-09-18 N/A 6.1 MEDIUM
In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed. This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code included in GlassFish. This vulnerability only affects applications that are explicitly deployed to the root context ('/').
CVE-2024-8586 1 Uniong 1 Webitr 2024-09-16 N/A 6.1 MEDIUM
WebITR from Uniong has an Open Redirect vulnerability, which allows unauthorized remote attackers to exploit this vulnerability to forge URLs. Users, believing they are accessing a trusted domain, can be redirected to another page, potentially leading to phishing attacks.
CVE-2024-4612 1 Gitlab 1 Gitlab 2024-09-14 N/A 6.1 MEDIUM
An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow.
CVE-2024-7312 1 Payara 1 Payara 2024-09-13 N/A 6.1 MEDIUM
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50.
CVE-2024-8412 1 Linuxos 1 Shakal-ng 2024-09-12 4.0 MEDIUM 6.1 MEDIUM
A vulnerability, which was classified as problematic, was found in LinuxOSsk Shakal-NG up to 1.3.3. Affected is an unknown function of the file comments/views.py. The manipulation of the argument next leads to open redirect. It is possible to launch the attack remotely. The name of the patch is ebd1c2cba59cbac198bf2fd5a10565994d4f02cb. It is recommended to apply a patch to fix this issue.
CVE-2024-42341 1 Loway 1 Queuemetrics 2024-09-11 N/A 6.1 MEDIUM
Loway - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CVE-2024-8555 1 Oretnom23 1 Clinic\'s Patient Management System 2024-09-10 5.0 MEDIUM 6.1 MEDIUM
A vulnerability was found in SourceCodester Clinics Patient Management System 2.0. It has been classified as problematic. Affected is an unknown function of the file congratulations.php. The manipulation of the argument goto_page leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-7211 1 1e 1 Platform 2024-09-06 N/A 6.1 MEDIUM
The 1E Platform's component utilized the third-party Duende Identity Server, which suffered from an open redirect vulnerability, permitting an attacker to control the redirection path of end users. Note: 1E Platform's component utilizing the third-party Duende Identity Server has been updated with the patch that includes the fix.
CVE-2024-24034 1 Setorinformatica 1 S.i.l 2024-09-05 N/A 6.1 MEDIUM
Setor Informatica S.I.L version 3.0 is vulnerable to Open Redirect via the hprinter parameter, allows remote attackers to execute arbitrary code.
CVE-2024-44776 1 Vtiger 1 Vtiger Crm 2024-09-03 N/A 6.1 MEDIUM
An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL.
CVE-2024-22891 2024-08-29 N/A 9.8 CRITICAL
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link.
CVE-2024-28287 2024-08-27 N/A 7.3 HIGH
A DOM-based open redirection in the returnUrl parameter of INSTINCT UI Web Client 6.5.0 allows attackers to redirect users to malicious sites via a crafted URL.
CVE-2024-39097 2024-08-27 N/A 6.1 MEDIUM
There is an Open Redirect vulnerability in Gnuboard v6.0.4 and below via the `url` parameter in login path.
CVE-2024-22262 2024-08-27 N/A 8.1 HIGH
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259  and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
CVE-2024-6377 1 3ds 1 3dexperience 2024-08-27 N/A 6.1 MEDIUM
An URL redirection to untrusted site (open redirect) vulnerability affecting 3DPassport in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to redirect users to an arbitrary website via a crafted URL.
CVE-2024-41801 1 Openproject 1 Openproject 2024-08-26 N/A 6.1 MEDIUM
OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProject user's account. This vulnerability affects default packaged installation of OpenProject without any additional configuration or modules on Apache (such as mod_security, manually setting a host name, having a fallthrough VirtualHost). It might also affect other installations that did not take care to fix the HOST/X-Forwarded-Host headers. Version 14.3.0 includes stronger protections for the hostname from within the application using the HostAuthorization middleware of Rails to reject any requests with a host name that does not match the configured one. Also, all generated links by the application are now ensured to use the built-in hostname. Users who aren't able to upgrade immediately may use mod_security for Apache2 or manually fix the Host and X-Forwarded-Host headers in their proxying application before reaching the application server of OpenProject. Alternatively, they can manually apply the patch to opt-in to host header protections in previous versions of OpenProject.
CVE-2024-43794 2024-08-23 N/A 6.1 MEDIUM
OpenSearch Dashboards Security Plugin adds a configuration management UI for the OpenSearch Security features to OpenSearch Dashboards. Improper validation of the nextUrl parameter can lead to external redirect on login to OpenSearch-Dashboards for specially crafted parameters. A patch is available in 1.3.19 and 2.16.0 for this issue.