Total
966 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-35133 | 1 Ibm | 2 Security Verify Access, Security Verify Access Docker | 2024-09-21 | N/A | 8.2 HIGH |
IBM Security Verify Access 10.0.0 through 10.0.8 OIDC Provider could allow a remote authenticated attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. | |||||
CVE-2024-24764 | 1 Octobercms | 1 October | 2024-09-19 | N/A | 4.8 MEDIUM |
October is a self-hosted CMS platform based on the Laravel PHP Framework. This issue affects authenticated administrators who may be redirected to an untrusted URL using the PageFinder schema. The resolver for the page finder link schema (`october://`) allowed external links, therefore allowing an open redirect outside the scope of the active host. This vulnerability has been patched in version 3.5.15. | |||||
CVE-2024-36419 | 1 Salesagility | 1 Suitecrm | 2024-09-19 | N/A | 6.1 MEDIUM |
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue. | |||||
CVE-2024-8646 | 1 Eclipse | 1 Glassfish | 2024-09-18 | N/A | 6.1 MEDIUM |
In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed. This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code included in GlassFish. This vulnerability only affects applications that are explicitly deployed to the root context ('/'). | |||||
CVE-2024-8586 | 1 Uniong | 1 Webitr | 2024-09-16 | N/A | 6.1 MEDIUM |
WebITR from Uniong has an Open Redirect vulnerability, which allows unauthorized remote attackers to exploit this vulnerability to forge URLs. Users, believing they are accessing a trusted domain, can be redirected to another page, potentially leading to phishing attacks. | |||||
CVE-2024-4612 | 1 Gitlab | 1 Gitlab | 2024-09-14 | N/A | 6.1 MEDIUM |
An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow. | |||||
CVE-2024-7312 | 1 Payara | 1 Payara | 2024-09-13 | N/A | 6.1 MEDIUM |
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50. | |||||
CVE-2024-8412 | 1 Linuxos | 1 Shakal-ng | 2024-09-12 | 4.0 MEDIUM | 6.1 MEDIUM |
A vulnerability, which was classified as problematic, was found in LinuxOSsk Shakal-NG up to 1.3.3. Affected is an unknown function of the file comments/views.py. The manipulation of the argument next leads to open redirect. It is possible to launch the attack remotely. The name of the patch is ebd1c2cba59cbac198bf2fd5a10565994d4f02cb. It is recommended to apply a patch to fix this issue. | |||||
CVE-2024-42341 | 1 Loway | 1 Queuemetrics | 2024-09-11 | N/A | 6.1 MEDIUM |
Loway - CWE-601: URL Redirection to Untrusted Site ('Open Redirect') | |||||
CVE-2024-8555 | 1 Oretnom23 | 1 Clinic\'s Patient Management System | 2024-09-10 | 5.0 MEDIUM | 6.1 MEDIUM |
A vulnerability was found in SourceCodester Clinics Patient Management System 2.0. It has been classified as problematic. Affected is an unknown function of the file congratulations.php. The manipulation of the argument goto_page leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2024-7211 | 1 1e | 1 Platform | 2024-09-06 | N/A | 6.1 MEDIUM |
The 1E Platform's component utilized the third-party Duende Identity Server, which suffered from an open redirect vulnerability, permitting an attacker to control the redirection path of end users. Note: 1E Platform's component utilizing the third-party Duende Identity Server has been updated with the patch that includes the fix. | |||||
CVE-2024-24034 | 1 Setorinformatica | 1 S.i.l | 2024-09-05 | N/A | 6.1 MEDIUM |
Setor Informatica S.I.L version 3.0 is vulnerable to Open Redirect via the hprinter parameter, allows remote attackers to execute arbitrary code. | |||||
CVE-2024-44776 | 1 Vtiger | 1 Vtiger Crm | 2024-09-03 | N/A | 6.1 MEDIUM |
An Open Redirect vulnerability in the page parameter of vTiger CRM v7.4.0 allows attackers to redirect users to a malicious site via a crafted URL. | |||||
CVE-2024-22891 | 2024-08-29 | N/A | 9.8 CRITICAL | ||
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. | |||||
CVE-2024-28287 | 2024-08-27 | N/A | 7.3 HIGH | ||
A DOM-based open redirection in the returnUrl parameter of INSTINCT UI Web Client 6.5.0 allows attackers to redirect users to malicious sites via a crafted URL. | |||||
CVE-2024-39097 | 2024-08-27 | N/A | 6.1 MEDIUM | ||
There is an Open Redirect vulnerability in Gnuboard v6.0.4 and below via the `url` parameter in login path. | |||||
CVE-2024-22262 | 2024-08-27 | N/A | 8.1 HIGH | ||
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input. | |||||
CVE-2024-6377 | 1 3ds | 1 3dexperience | 2024-08-27 | N/A | 6.1 MEDIUM |
An URL redirection to untrusted site (open redirect) vulnerability affecting 3DPassport in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to redirect users to an arbitrary website via a crafted URL. | |||||
CVE-2024-41801 | 1 Openproject | 1 Openproject | 2024-08-26 | N/A | 6.1 MEDIUM |
OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProject user's account. This vulnerability affects default packaged installation of OpenProject without any additional configuration or modules on Apache (such as mod_security, manually setting a host name, having a fallthrough VirtualHost). It might also affect other installations that did not take care to fix the HOST/X-Forwarded-Host headers. Version 14.3.0 includes stronger protections for the hostname from within the application using the HostAuthorization middleware of Rails to reject any requests with a host name that does not match the configured one. Also, all generated links by the application are now ensured to use the built-in hostname. Users who aren't able to upgrade immediately may use mod_security for Apache2 or manually fix the Host and X-Forwarded-Host headers in their proxying application before reaching the application server of OpenProject. Alternatively, they can manually apply the patch to opt-in to host header protections in previous versions of OpenProject. | |||||
CVE-2024-43794 | 2024-08-23 | N/A | 6.1 MEDIUM | ||
OpenSearch Dashboards Security Plugin adds a configuration management UI for the OpenSearch Security features to OpenSearch Dashboards. Improper validation of the nextUrl parameter can lead to external redirect on login to OpenSearch-Dashboards for specially crafted parameters. A patch is available in 1.3.19 and 2.16.0 for this issue. |