Total
1164 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-17151 | 1 Tencent | 1 Wechat | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| This vulnerability allows remote attackers redirect users to an external resource on affected installations of Tencent WeChat Prior to 7.0.9. User interaction is required to exploit this vulnerability in that the target must be within a chat session together with the attacker. The specific flaw exists within the parsing of a users profile. The issue lies in the failure to properly validate a users name. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-9302. | |||||
| CVE-2019-16393 | 1 Spip | 1 Spip | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character. | |||||
| CVE-2019-16220 | 1 Wordpress | 1 Wordpress | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash. | |||||
| CVE-2019-15820 | 1 Login Or Logout Menu Item Project | 1 Login Or Logout Menu Item | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| The login-or-logout-menu-item plugin before 1.2.0 for WordPress has no requirement for lolmi_save_settings authentication. | |||||
| CVE-2019-15818 | 1 Webcraftic | 1 Simple 301 Redirects | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for WordPress has no requirement for authentication for action=bulk301export or action=bulk301clearlist. | |||||
| CVE-2019-15816 | 1 Wpexpertdeveloper | 1 Wp Private Content Plus | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The wp-private-content-plus plugin before 2.0 for WordPress has no protection against option changes via save_settings_page and other save_ functions. | |||||
| CVE-2019-15776 | 1 Webcraftic | 1 Simple 301 Redirects-addon-bulk Uploader | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for WordPress has no protection against 301 redirect rule injection via a CSV file. | |||||
| CVE-2019-15775 | 1 Learning Courses Project | 1 Learning Courses | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| The nd-learning plugin before 4.8 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | |||||
| CVE-2019-15774 | 1 Booking Project | 1 Booking | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| The nd-booking plugin before 2.5 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | |||||
| CVE-2019-15773 | 1 Travel Management Project | 1 Travel Management | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| The nd-travel plugin before 1.7 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | |||||
| CVE-2019-15772 | 1 Donations Project | 1 Donations | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| The nd-donations plugin before 1.4 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | |||||
| CVE-2019-15771 | 1 Components For Wp Bakery Page Builder Project | 1 Components For Wp Bakery Page Builder | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| The nd-shortcodes plugin before 6.0 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | |||||
| CVE-2019-15688 | 1 Kaspersky | 5 Anti-virus, Internet Security, Security Cloud and 2 more | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus, Kaspersky Small Office Security, Kaspersky Security Cloud up to 2020, the web protection component did not adequately inform the user about the threat of redirecting to an untrusted site. Bypass. | |||||
| CVE-2019-15073 | 1 Openfind | 1 Mail2000 | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities. | |||||
| CVE-2019-15041 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| JetBrains YouTrack versions before 2019.1.52545 allowed unbounded URL whitelisting because of Inclusion of Functionality from an Untrusted Control Sphere. | |||||
| CVE-2019-14912 | 1 Prise | 1 Adas | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in PRiSE adAS 1.7.0. The OPENSSO module does not properly check the goto parameter, leading to an open redirect that leaks the session cookie. | |||||
| CVE-2019-14882 | 1 Moodle | 1 Moodle | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Moodle 3.7 to 3.7.3, 3.6 to 3.6.7, 3.5 to 3.5.9 and earlier where an open redirect existed in the Lesson edit page. | |||||
| CVE-2019-14857 | 1 Openidc | 1 Mod Auth Openidc | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| A flaw was found in mod_auth_openidc before version 2.4.0.1. An open redirect issue exists in URLs with trailing slashes similar to CVE-2019-3877 in mod_auth_mellon. | |||||
| CVE-2019-14831 | 1 Moodle | 1 Moodle | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where forum subscribe link contained an open redirect if forced subscription mode was enabled. If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect. | |||||
| CVE-2019-14830 | 1 Moodle | 1 Moodle | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app"). | |||||