VYPR

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

BaseDraftLikelihood: Low

Description

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-178

CVEs mapped to this weakness (835)

page 11 of 42
  • CVE-2018-1220MedMar 8, 2018
    risk 0.40cvss 6.1epss 0.02

    EMC RSA Archer, versions prior to 6.2.0.8, contains a redirect vulnerability in the QuickLinks feature. A remote attacker may potentially exploit this vulnerability to redirect genuine users to phishing websites with the intent of obtaining sensitive information from the users.

  • CVE-2018-7473MedMar 7, 2018
    risk 0.40cvss 6.1epss 0.01

    Open redirect vulnerability in the SO Connect SO WIFI hotspot web interface, prior to version 140, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL.

  • CVE-2018-6324MedFeb 16, 2018
    risk 0.40cvss 6.1epss 0.01

    F-Secure Radar (on-premises) before 2018-02-15 has an Unvalidated Redirect via the ReturnUrl parameter that triggers upon a user login.

  • CVE-2017-8945MedFeb 15, 2018
    risk 0.40cvss 6.1epss 0.02

    A Remote Unauthorized Disclosure of Information vulnerability in HPE IceWall Federation Agent version 3.0 was found.

  • CVE-2017-18178MedFeb 12, 2018
    risk 0.40cvss 6.1epss 0.02

    Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target, if the target is specified using a certain %40 syntax. This is fixed in 10.1.

  • CVE-2018-6520MedFeb 2, 2018
    risk 0.40cvss 6.1epss 0.01

    SimpleSAMLphp before 1.15.2 allows remote attackers to bypass an open redirect protection mechanism via crafted authority data in a URL.

  • CVE-2017-2166MedJan 26, 2018
    risk 0.40cvss 6.1epss 0.01

    Open redirect vulnerability in GroupSession version 4.7.0 and earlier allows an attacker to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

  • CVE-2018-6200MedJan 25, 2018
    risk 0.40cvss 6.1epss 0.04

    vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter.

  • CVE-2018-0097MedJan 18, 2018
    risk 0.40cvss 6.1epss 0.01

    A vulnerability in the web interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to redirect a user to a malicious web page, aka an Open Redirect. The vulnerability is due to improper input validation of the parameters in the HTTP request. An…

  • CVE-2017-1534MedJan 10, 2018
    risk 0.40cvss 6.1epss 0.01

    IBM Security Access Manager Appliance 8.0.0 and 9.0.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL…

  • CVE-2017-1668MedJan 9, 2018
    risk 0.40cvss 6.1epss 0.01

    IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL…

  • CVE-2017-1000484MedJan 3, 2018
    risk 0.40cvss 6.1epss 0.01

    By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to…

  • CVE-2017-1000434MedJan 2, 2018
    risk 0.40cvss 6.1epss 0.01

    Wordpress plugin Furikake version 0.1.0 is vulnerable to an Open Redirect The furikake-redirect parameter on a page allows for a redirect to an attacker controlled page classes/Furigana.php: header('location:'.urldecode($_GET['furikake-redirect']));

  • CVE-2017-1558MedDec 13, 2017
    risk 0.40cvss 6.1epss 0.01

    IBM Maximo Asset Management 7.5 and 7.6 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to…

  • CVE-2017-16679MedDec 12, 2017
    risk 0.40cvss 6.1epss 0.01

    URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 NUC, SAP KERNEL 32 Unicode, SAP KERNEL 64 NUC, SAP KERNEL 64 Unicode 7.21, 7.21EXT, 7.22 and 7.22EXT; SAP KERNEL 7.21, 7.22, 7.45, 7.49 and 7.52, that allows an attacker to redirect users to a malicious site.

  • CVE-2017-11482MedDec 8, 2017
    risk 0.40cvss 6.1epss 0.01

    The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.

  • CVE-2017-3105MedDec 1, 2017
    risk 0.40cvss 6.1epss 0.03

    Adobe RoboHelp has an Open Redirect vulnerability. This affects versions before RH12.0.4.460 and RH2017 before RH2017.0.2.

  • CVE-2017-12344MedNov 30, 2017
    risk 0.40cvss 6.1epss 0.01

    Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) Software could allow a remote attacker to inject arbitrary values into DCNM configuration parameters, redirect a user to a malicious website, inject malicious content into a DCNM client interface, or conduct a…

  • CVE-2017-1000163MedNov 17, 2017
    risk 0.40cvss 6.1epss 0.02

    The Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1.6, 1.2.0, 1.2.2 and 1.3.0-rc.0 are vulnerable to unvalidated URL redirection, which may result in phishing or social engineering attacks.

  • CVE-2017-16761MedNov 10, 2017
    risk 0.40cvss 6.1epss 0.01

    An Open Redirect vulnerability in Inedo BuildMaster before 5.8.2 allows remote attackers to redirect users to arbitrary web sites.