VYPR

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

BaseDraftLikelihood: Low

Description

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-178

CVEs mapped to this weakness (835)

page 21 of 42
  • CVE-2022-2237MedMar 27, 2023
    risk 0.33cvss 6.1epss 0.00

    A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function.

  • CVE-2022-0637MedFeb 16, 2023
    risk 0.33cvss 6.1epss 0.00

    open redirect in pollbot (pollbot.services.mozilla.com) in versions before 1.4.6

  • CVE-2023-22797MedFeb 9, 2023
    risk 0.33cvss 6.1epss 0.01

    An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could…

  • CVE-2022-28923MedFeb 6, 2023
    risk 0.33cvss 6.1epss 0.01

    Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs.

  • CVE-2022-4720MedDec 27, 2022
    risk 0.33cvss 6.1epss 0.00

    Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.5.

  • CVE-2022-4644MedDec 22, 2022
    risk 0.33cvss 6.1epss 0.01

    Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.4.

  • CVE-2022-46683MedDec 12, 2022
    risk 0.33cvss 6.1epss 0.01

    Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

  • CVE-2022-43985MedNov 2, 2022
    risk 0.33cvss 6.1epss 0.01

    In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.

  • CVE-2022-3438MedOct 10, 2022
    risk 0.33cvss 6.1epss 0.00

    Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.

  • CVE-2022-28977MedSep 22, 2022
    risk 0.33cvss 6.1epss 0.00

    HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers…

  • CVE-2022-40754MedSep 21, 2022
    risk 0.33cvss 6.1epss 0.01

    In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.

  • CVE-2022-2252MedJun 29, 2022
    risk 0.33cvss 6.1epss 0.01

    Open Redirect in GitHub repository microweber/microweber prior to 1.2.19.

  • CVE-2022-33146MedJun 27, 2022
    risk 0.33cvss 6.1epss 0.01

    Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.

  • CVE-2022-29718MedJun 2, 2022
    risk 0.33cvss 6.1epss 0.01

    Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.

  • CVE-2022-29214MedMay 21, 2022
    risk 0.33cvss 6.1epss 0.01

    NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. Prior to versions 3.29.3 and 4.3.3, an open redirect vulnerability is present when the developer is implementing an OAuth 1 provider. Versions 3.29.3 and 4.3.3 contain a patch for this…

  • CVE-2022-24858MedApr 19, 2022
    risk 0.33cvss 6.1epss 0.01

    next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks…

  • CVE-2022-27463MedApr 5, 2022
    risk 0.33cvss 6.1epss 0.01

    Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a crafted url to the login page.

  • CVE-2022-1233MedApr 4, 2022
    risk 0.33cvss 6.1epss 0.01

    URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11.

  • CVE-2022-0697MedMar 6, 2022
    risk 0.33cvss 6.1epss 0.01

    Open Redirect in GitHub repository archivy/archivy prior to 1.7.0.

  • CVE-2022-0868MedMar 6, 2022
    risk 0.33cvss 6.1epss 0.01

    Open Redirect in GitHub repository medialize/uri.js prior to 1.19.10.