CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
Description
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-178
CVEs mapped to this weakness (835)
page 21 of 42| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-2237 | Med | 0.33 | 6.1 | 0.00 | Mar 27, 2023 | A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function. | ||
| CVE-2022-0637 | — | Med | 0.33 | 6.1 | 0.00 | Feb 16, 2023 | open redirect in pollbot (pollbot.services.mozilla.com) in versions before 1.4.6 | |
| CVE-2023-22797 | Med | 0.33 | 6.1 | 0.01 | Feb 9, 2023 | An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could… | ||
| CVE-2022-28923 | — | Med | 0.33 | 6.1 | 0.01 | Feb 6, 2023 | Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs. | |
| CVE-2022-4720 | — | Med | 0.33 | 6.1 | 0.00 | Dec 27, 2022 | Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.5. | |
| CVE-2022-4644 | — | Med | 0.33 | 6.1 | 0.01 | Dec 22, 2022 | Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.4. | |
| CVE-2022-46683 | Med | 0.33 | 6.1 | 0.01 | Dec 12, 2022 | Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins. | ||
| CVE-2022-43985 | Med | 0.33 | 6.1 | 0.01 | Nov 2, 2022 | In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. | ||
| CVE-2022-3438 | — | Med | 0.33 | 6.1 | 0.00 | Oct 10, 2022 | Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.0a4. | |
| CVE-2022-28977 | Med | 0.33 | 6.1 | 0.00 | Sep 22, 2022 | HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers… | ||
| CVE-2022-40754 | Med | 0.33 | 6.1 | 0.01 | Sep 21, 2022 | In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint. | ||
| CVE-2022-2252 | Med | 0.33 | 6.1 | 0.01 | Jun 29, 2022 | Open Redirect in GitHub repository microweber/microweber prior to 1.2.19. | ||
| CVE-2022-33146 | Med | 0.33 | 6.1 | 0.01 | Jun 27, 2022 | Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL. | ||
| CVE-2022-29718 | — | Med | 0.33 | 6.1 | 0.01 | Jun 2, 2022 | Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links. | |
| CVE-2022-29214 | Med | 0.33 | 6.1 | 0.01 | May 21, 2022 | NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this… | ||
| CVE-2022-24858 | Med | 0.33 | 6.1 | 0.01 | Apr 19, 2022 | next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks… | ||
| CVE-2022-27463 | Med | 0.33 | 6.1 | 0.01 | Apr 5, 2022 | Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a crafted url to the login page. | ||
| CVE-2022-1233 | — | Med | 0.33 | 6.1 | 0.01 | Apr 4, 2022 | URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11. | |
| CVE-2022-0697 | — | Med | 0.33 | 6.1 | 0.01 | Mar 6, 2022 | Open Redirect in GitHub repository archivy/archivy prior to 1.7.0. | |
| CVE-2022-0868 | — | Med | 0.33 | 6.1 | 0.01 | Mar 6, 2022 | Open Redirect in GitHub repository medialize/uri.js prior to 1.19.10. |
- risk 0.33cvss 6.1epss 0.00
A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function.
- risk 0.33cvss 6.1epss 0.00
open redirect in pollbot (pollbot.services.mozilla.com) in versions before 1.4.6
- risk 0.33cvss 6.1epss 0.01
An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could…
- risk 0.33cvss 6.1epss 0.01
Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs.
- risk 0.33cvss 6.1epss 0.00
Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.5.
- risk 0.33cvss 6.1epss 0.01
Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.4.
- risk 0.33cvss 6.1epss 0.01
Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
- risk 0.33cvss 6.1epss 0.01
In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.
- risk 0.33cvss 6.1epss 0.00
Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.
- risk 0.33cvss 6.1epss 0.00
HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers…
- risk 0.33cvss 6.1epss 0.01
In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.
- risk 0.33cvss 6.1epss 0.01
Open Redirect in GitHub repository microweber/microweber prior to 1.2.19.
- risk 0.33cvss 6.1epss 0.01
Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.
- risk 0.33cvss 6.1epss 0.01
Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.
- risk 0.33cvss 6.1epss 0.01
NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this…
- risk 0.33cvss 6.1epss 0.01
next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks…
- risk 0.33cvss 6.1epss 0.01
Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a crafted url to the login page.
- risk 0.33cvss 6.1epss 0.01
URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11.
- risk 0.33cvss 6.1epss 0.01
Open Redirect in GitHub repository archivy/archivy prior to 1.7.0.
- risk 0.33cvss 6.1epss 0.01
Open Redirect in GitHub repository medialize/uri.js prior to 1.19.10.