VYPR

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

BaseDraftLikelihood: Low

Description

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-178

CVEs mapped to this weakness (835)

page 13 of 42
  • CVE-2017-1450MedAug 31, 2017
    risk 0.40cvss 6.1epss 0.01

    IBM Emptoris Sourcing 9.5 - 10.1.3 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a…

  • CVE-2017-14038MedAug 30, 2017
    risk 0.40cvss 6.1epss 0.01

    CrushFTP before 7.8.0 and 8.x before 8.2.0 has a redirect vulnerability.

  • CVE-2017-1195MedAug 29, 2017
    risk 0.40cvss 6.1epss 0.01

    IBM Curam Social Program Management 6.0, 6.1, 6.2, and 7.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL…

  • CVE-2017-1489MedAug 29, 2017
    risk 0.40cvss 6.1epss 0.01

    IBM Security Access Manager 6.1, 7.0, 8.0, and 9.0 e-community configurations may be affected by a redirect vulnerability. ECSSO Master Authentication can redirect to a server not participating in an e-community domain. IBM X-Force ID: 128687.

  • CVE-2017-12138MedAug 2, 2017
    risk 0.40cvss 6.1epss 0.03

    XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter.

  • CVE-2017-11718MedJul 28, 2017
    risk 0.40cvss 6.1epss 0.01

    There is URL Redirector Abuse in MetInfo through 5.3.17 via the gourl parameter to member/login.php.

  • CVE-2017-11586MedJul 24, 2017
    risk 0.40cvss 6.1epss 0.02

    dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to controllers/Weixin.php.

  • CVE-2017-1223MedJul 19, 2017
    risk 0.40cvss 6.1epss 0.01

    IBM Tivoli Endpoint Manager could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to…

  • CVE-2017-1000027MedJul 17, 2017
    risk 0.40cvss 6.1epss 0.01

    Koozali Foundation SME Server versions 8.x, 9.x, 10.x are vulnerable to an open URL redirect vulnerability in the user web login function resulting in unauthorized account access.

  • CVE-2017-1000013MedJul 17, 2017
    risk 0.40cvss 6.1epss 0.01

    phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakness

  • CVE-2016-8947MedJul 12, 2017
    risk 0.40cvss 6.1epss 0.01

    IBM Emptoris Sourcing 9.5.x through 10.1.x could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to…

  • CVE-2017-8621MedJul 11, 2017
    risk 0.40cvss 6.1epss 0.03

    Microsoft Exchange Server 2010 SP3, Exchange Server 2013 SP3, Exchange Server 2013 CU16, and Exchange Server 2016 CU5 allows an open redirect vulnerability that could lead to spoofing, aka "Microsoft Exchange Open Redirect Vulnerability".

  • CVE-2017-1398MedJul 10, 2017
    risk 0.40cvss 6.1epss 0.01

    IBM WebSphere Commerce Enterprise, Professional, Express, and Developer 6.0, 7.0, and 8.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this…

  • CVE-2017-2217MedJul 7, 2017
    risk 0.40cvss 6.1epss 0.01

    Open redirect vulnerability in WordPress Download Manager prior to version 2.9.51 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

  • CVE-2017-5002MedJul 7, 2017
    risk 0.40cvss 6.1epss 0.01

    EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is affected by an open redirect vulnerability. A remote unprivileged attacker may potentially redirect legitimate users to arbitrary web sites and conduct phishing attacks. The attacker could then steal the…

  • CVE-2017-6018MedJun 30, 2017
    risk 0.40cvss 6.1epss 0.01

    An open redirect issue was discovered in B. Braun Medical SpaceCom module, which is integrated into the SpaceStation docking station: SpaceStation with SpaceCom module (integrated as part number 8713142U), software versions prior to Version 012U000040, and SpaceStation (part…

  • CVE-2017-8451MedJun 16, 2017
    risk 0.40cvss 6.1epss 0.01

    With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.

  • CVE-2016-10365MedJun 16, 2017
    risk 0.40cvss 6.1epss 0.01

    Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website.

  • CVE-2017-9464MedJun 14, 2017
    risk 0.40cvss 6.1epss 0.01

    An open redirect vulnerability is present in Piwigo 2.9 and probably prior versions, allowing remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. The identification.php component is affected by this issue: the "redirect" parameter is not…

  • CVE-2017-6670MedJun 13, 2017
    risk 0.40cvss 6.1epss 0.01

    A vulnerability in the web-based GUI of Cisco Unified Communications Domain Manager could allow an unauthenticated, remote attacker to redirect a user to a malicious web page, aka an Open Redirect issue. More Information: CSCvc54813. Known Affected Releases: 8.1(7)ER1.