CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
Description
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-178
CVEs mapped to this weakness (835)
page 35 of 42| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-36627 | 0.00 | — | 0.01 | Dec 25, 2022 | A vulnerability was found in Macaron i18n. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file i18n.go. The manipulation leads to open redirect. The attack can be launched remotely. Upgrading to version 0.5.0 is able to… | |||
| CVE-2022-4720 | — | 0.00 | — | 0.00 | Dec 23, 2022 | Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.5. | ||
| CVE-2022-4644 | — | 0.00 | — | 0.01 | Dec 22, 2022 | Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.4. | ||
| CVE-2022-47500 | 0.00 | — | 0.01 | Dec 19, 2022 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Software Foundation Apache Helix UI component.This issue affects Apache Helix all releases from 0.8.0 to 1.0.4. Solution: removed the the forward component since it was improper designed for UI… | |||
| CVE-2021-4260 | — | 0.00 | — | 0.00 | Dec 19, 2022 | A vulnerability was found in oils-js. It has been declared as critical. This vulnerability affects unknown code of the file core/Web.js. The manipulation leads to open redirect. The attack can be initiated remotely. The name of the patch is fad8fbae824a7d367dacb90d56cb02c5cb999d4… | ||
| CVE-2022-4589 | — | 0.00 | — | 0.00 | Dec 17, 2022 | A vulnerability has been found in cyface Terms and Conditions Module up to 2.0.9 and classified as problematic. Affected by this vulnerability is the function returnTo of the file termsandconditions/views.py. The manipulation leads to open redirect. The attack can be launched… | ||
| CVE-2022-46683 | 0.00 | — | 0.01 | Dec 7, 2022 | Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins. | |||
| CVE-2022-41965 | 0.00 | — | 0.00 | Nov 28, 2022 | Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 12.5, Opencast's Paella authentication page could be used to redirect to an arbitrary URL for authenticated users. The vulnerability allows attackers to… | |||
| CVE-2022-45402 | 0.00 | — | 0.82 | Nov 15, 2022 | In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint. | |||
| CVE-2022-43985 | 0.00 | — | 0.01 | Nov 2, 2022 | In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. | |||
| CVE-2022-3438 | — | 0.00 | — | 0.00 | Oct 10, 2022 | Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.0a4. | ||
| CVE-2022-40083 | — | 0.00 | — | 0.02 | Sep 28, 2022 | Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF). | ||
| CVE-2022-28977 | 0.00 | — | 0.00 | Sep 22, 2022 | HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers… | |||
| CVE-2022-40754 | 0.00 | — | 0.01 | Sep 21, 2022 | In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint. | |||
| CVE-2022-25295 | 0.00 | — | 0.01 | Sep 11, 2022 | This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parse(r.FormValue("next")) to extract path and eventually redirect user to a relative URL, but if next parameter starts… | |||
| CVE-2022-36087 | 0.00 | — | 0.01 | Sep 9, 2022 | OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it… | |||
| CVE-2020-26938 | — | 0.00 | — | 0.01 | Aug 29, 2022 | In oauth2-server (aka node-oauth2-server) through 3.1.1, the value of the redirect_uri parameter received during the authorization and token request is checked against an incorrect URI pattern ("[a-zA-Z][a-zA-Z0-9+.-]+:") before making a redirection. This allows a malicious… | ||
| CVE-2021-23385 | — | 0.00 | — | 0.01 | Aug 2, 2022 | This affects all versions of package Flask-Security. When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This… | ||
| CVE-2022-31193 | 0.00 | — | 0.01 | Aug 1, 2022 | DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL… | |||
| CVE-2022-35652 | 0.00 | — | 0.01 | Jul 25, 2022 | An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful… |
- CVE-2020-36627Dec 25, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in Macaron i18n. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file i18n.go. The manipulation leads to open redirect. The attack can be launched remotely. Upgrading to version 0.5.0 is able to…
- CVE-2022-4720Dec 23, 2022risk 0.00cvss —epss 0.00
Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.5.
- CVE-2022-4644Dec 22, 2022risk 0.00cvss —epss 0.01
Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.4.
- CVE-2022-47500Dec 19, 2022risk 0.00cvss —epss 0.01
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Software Foundation Apache Helix UI component.This issue affects Apache Helix all releases from 0.8.0 to 1.0.4. Solution: removed the the forward component since it was improper designed for UI…
- CVE-2021-4260Dec 19, 2022risk 0.00cvss —epss 0.00
A vulnerability was found in oils-js. It has been declared as critical. This vulnerability affects unknown code of the file core/Web.js. The manipulation leads to open redirect. The attack can be initiated remotely. The name of the patch is fad8fbae824a7d367dacb90d56cb02c5cb999d4…
- CVE-2022-4589Dec 17, 2022risk 0.00cvss —epss 0.00
A vulnerability has been found in cyface Terms and Conditions Module up to 2.0.9 and classified as problematic. Affected by this vulnerability is the function returnTo of the file termsandconditions/views.py. The manipulation leads to open redirect. The attack can be launched…
- CVE-2022-46683Dec 7, 2022risk 0.00cvss —epss 0.01
Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
- CVE-2022-41965Nov 28, 2022risk 0.00cvss —epss 0.00
Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 12.5, Opencast's Paella authentication page could be used to redirect to an arbitrary URL for authenticated users. The vulnerability allows attackers to…
- CVE-2022-45402Nov 15, 2022risk 0.00cvss —epss 0.82
In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint.
- CVE-2022-43985Nov 2, 2022risk 0.00cvss —epss 0.01
In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint.
- CVE-2022-3438Oct 10, 2022risk 0.00cvss —epss 0.00
Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.
- CVE-2022-40083Sep 28, 2022risk 0.00cvss —epss 0.02
Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).
- CVE-2022-28977Sep 22, 2022risk 0.00cvss —epss 0.00
HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers…
- CVE-2022-40754Sep 21, 2022risk 0.00cvss —epss 0.01
In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's `/confirm` endpoint.
- CVE-2022-25295Sep 11, 2022risk 0.00cvss —epss 0.01
This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parse(r.FormValue("next")) to extract path and eventually redirect user to a relative URL, but if next parameter starts…
- CVE-2022-36087Sep 9, 2022risk 0.00cvss —epss 0.01
OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it…
- CVE-2020-26938Aug 29, 2022risk 0.00cvss —epss 0.01
In oauth2-server (aka node-oauth2-server) through 3.1.1, the value of the redirect_uri parameter received during the authorization and token request is checked against an incorrect URI pattern ("[a-zA-Z][a-zA-Z0-9+.-]+:") before making a redirection. This allows a malicious…
- CVE-2021-23385Aug 2, 2022risk 0.00cvss —epss 0.01
This affects all versions of package Flask-Security. When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This…
- CVE-2022-31193Aug 1, 2022risk 0.00cvss —epss 0.01
DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL…
- CVE-2022-35652Jul 25, 2022risk 0.00cvss —epss 0.01
An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful…