VYPR

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

BaseDraftLikelihood: Low

Description

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-178

CVEs mapped to this weakness (835)

page 10 of 42
  • CVE-2017-1000484MedJan 3, 2018
    risk 0.40cvss 6.1epss 0.01

    By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to…

  • CVE-2017-1000434MedJan 2, 2018
    risk 0.40cvss 6.1epss 0.01

    Wordpress plugin Furikake version 0.1.0 is vulnerable to an Open Redirect The furikake-redirect parameter on a page allows for a redirect to an attacker controlled page classes/Furigana.php: header('location:'.urldecode($_GET['furikake-redirect']));

  • CVE-2017-1558MedDec 13, 2017
    risk 0.40cvss 6.1epss 0.01

    IBM Maximo Asset Management 7.5 and 7.6 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to…

  • CVE-2017-16679MedDec 12, 2017
    risk 0.40cvss 6.1epss 0.01

    URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52, that allows an attacker to redirect users to a malicious site.

  • CVE-2017-11482MedDec 8, 2017
    risk 0.40cvss 6.1epss 0.01

    The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.

  • CVE-2017-3105MedDec 1, 2017
    risk 0.40cvss 6.1epss 0.03

    Adobe RoboHelp has an Open Redirect vulnerability. This affects versions before RH12.0.4.460 and RH2017 before RH2017.0.2.

  • CVE-2017-12344MedNov 30, 2017
    risk 0.40cvss 6.1epss 0.01

    Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) Software could allow a remote attacker to inject arbitrary values into DCNM configuration parameters, redirect a user to a malicious website, inject malicious content into a DCNM client interface, or conduct a…

  • CVE-2017-1000163MedNov 17, 2017
    risk 0.40cvss 6.1epss 0.02

    The Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1.6, 1.2.0, 1.2.2 and 1.3.0-rc.0 are vulnerable to unvalidated URL redirection, which may result in phishing or social engineering attacks.

  • CVE-2017-16761MedNov 10, 2017
    risk 0.40cvss 6.1epss 0.01

    An Open Redirect vulnerability in Inedo BuildMaster before 5.8.2 allows remote attackers to redirect users to arbitrary web sites.

  • CVE-2017-14358MedOct 31, 2017
    risk 0.40cvss 6.1epss 0.01

    A URL redirection to untrusted site vulnerability in HP ArcSight ESM and HP ArcSight ESM Express, in any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1. This vulnerability could be exploited remotely to allow URL redirection to untrusted site.

  • CVE-2015-7943MedOct 18, 2017
    risk 0.40cvss 6.1epss 0.02

    Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.41, the jQuery Update module 7.x-2.x before 7.x-2.7 for Drupal, and the LABjs module 7.x-1.x before 7.x-1.8 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via…

  • CVE-2017-8047MedOct 4, 2017
    risk 0.40cvss 6.1epss 0.01

    In Cloud Foundry router routing-release all versions prior to v0.163.0 and cf-release all versions prior to v274, in some applications, it is possible to append a combination of characters to the URL that will allow for an open redirect. An attacker could exploit this as a…

  • CVE-2017-14525MedSep 28, 2017
    risk 0.40cvss 6.1epss 0.01

    Multiple open redirect vulnerabilities in OpenText Documentum Webtop 6.8.0160.0073 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a (1) URL in the startat parameter to xda/help/en/default.htm or (2) /%09/ (slash encoded…

  • CVE-2017-14524MedSep 28, 2017
    risk 0.40cvss 6.1epss 0.03

    Multiple open redirect vulnerabilities in OpenText Documentum Administrator 7.2.0180.0055 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a (1) URL in the startat parameter to xda/help/en/default.htm or (2) /%09/ (slash encoded…

  • CVE-2015-5608MedSep 20, 2017
    risk 0.40cvss 6.1epss 0.01

    Open redirect vulnerability in Joomla! CMS 3.0.0 through 3.4.1.

  • CVE-2015-2750MedSep 13, 2017
    risk 0.40cvss 6.1epss 0.01

    Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence.

  • CVE-2015-5054MedSep 11, 2017
    risk 0.40cvss 6.1epss 0.01

    Open redirect vulnerability in Ellucian (formerly SunGard) Banner Student 8.5.1.2 through 8.7 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in an unspecified parameter.

  • CVE-2017-1450MedAug 31, 2017
    risk 0.40cvss 6.1epss 0.01

    IBM Emptoris Sourcing 9.5 - 10.1.3 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a…

  • CVE-2017-14038MedAug 30, 2017
    risk 0.40cvss 6.1epss 0.01

    CrushFTP before 7.8.0 and 8.x before 8.2.0 has a redirect vulnerability.

  • CVE-2017-1195MedAug 29, 2017
    risk 0.40cvss 6.1epss 0.01

    IBM Curam Social Program Management 6.0, 6.1, 6.2, and 7.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL…