Total
962 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-41207 | 1 Sap | 1 Biller Direct | 2022-11-09 | N/A | 6.1 MEDIUM |
SAP Biller Direct allows an unauthenticated attacker to craft a legitimate looking URL. When clicked by an unsuspecting victim, it will use an unsensitized parameter to redirect the victim to a malicious site of the attacker's choosing which can result in disclosure or modification of the victim's information. | |||||
CVE-2022-43985 | 1 Apache | 1 Airflow | 2022-11-03 | N/A | 6.1 MEDIUM |
In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. | |||||
CVE-2022-3797 | 1 Eolink | 1 Apinto-dashboard | 2022-11-02 | N/A | 6.1 MEDIUM |
A vulnerability was found in eolinker apinto-dashboard. It has been rated as problematic. This issue affects some unknown processing of the file /login. The manipulation of the argument callback leads to open redirect. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-212633 was assigned to this vulnerability. | |||||
CVE-2022-28763 | 1 Zoom | 3 Meetings, Rooms For Conference Rooms, Virtual Desktop Infrastructure | 2022-11-01 | N/A | 9.6 CRITICAL |
The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.12.2 is susceptible to a URL parsing vulnerability. If a malicious Zoom meeting URL is opened, the malicious link may direct the user to connect to an arbitrary network address, leading to additional attacks including session takeovers. | |||||
CVE-2022-39021 | 1 Edetw | 1 U-office Force | 2022-10-31 | N/A | 6.1 MEDIUM |
U-Office Force login function has an Open Redirect vulnerability. An unauthenticated remote attacker can exploit this vulnerability to redirect user to arbitrary website. | |||||
CVE-2022-38197 | 1 Esri | 1 Arcgis Server | 2022-10-31 | N/A | 6.1 MEDIUM |
Esri ArcGIS Server versions 10.9.1 and below have an unvalidated redirect issue that may allow a remote, unauthenticated attacker to phish a user into accessing an attacker controlled website via a crafted query parameter. | |||||
CVE-2022-39359 | 1 Metabase | 1 Metabase | 2022-10-28 | N/A | 6.5 MEDIUM |
Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable `MB_CUSTOM_GEOJSON_ENABLED` was also added to disable custom GeoJSON completely (`true` by default). | |||||
CVE-2020-1723 | 2 Keycloak Gatekeeper Project, Redhat | 2 Keycloak Gatekeeper, Mobile Application Platform | 2022-10-27 | 5.8 MEDIUM | 6.1 MEDIUM |
A flaw was found in Keycloak Gatekeeper (Louketo). The logout endpoint can be abused to redirect logged-in users to arbitrary web pages. Affected versions of Keycloak Gatekeeper (Louketo): 6.0.1, 7.0.0 | |||||
CVE-2022-26954 | 1 Nopcommerce | 1 Nopcommerce | 2022-10-21 | N/A | 6.1 MEDIUM |
Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl parameter, processed by the (1) ChangePassword function, (2) SignInCustomerAsync function, (3) SuccessfulAuthentication method, or (4) NopRedirectResultExecutor class. | |||||
CVE-2019-8995 | 1 Tibco | 2 Activematrix Bpm, Silver Fabric Enabler | 2022-10-14 | 5.8 MEDIUM | 6.1 MEDIUM |
The workspace client, openspace client, and app development client of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM contain a vulnerability wherein a malicious URL could trick a user into visiting a website of the attacker's choice. Affected releases are TIBCO Software Inc.'s TIBCO ActiveMatrix BPM: versions up to and including 4.2.0, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric: versions up to and including 4.2.0, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM: versions up to and including 1.4.1. | |||||
CVE-2022-1702 | 1 Sonicwall | 10 Sma 6200, Sma 6200 Firmware, Sma 6210 and 7 more | 2022-10-14 | 5.8 MEDIUM | 6.1 MEDIUM |
SonicWall SMA1000 series firmware 12.4.0, 12.4.1-02965 and earlier versions accept a user-controlled input that specifies a link to an external site and uses that link in a redirect which leads to Open redirection vulnerability. | |||||
CVE-2019-7275 | 1 Optergy | 2 Enterprise, Proton | 2022-10-13 | 5.8 MEDIUM | 6.1 MEDIUM |
Optergy Proton/Enterprise devices allow Open Redirect. | |||||
CVE-2022-41204 | 1 Sap | 1 Commerce | 2022-10-12 | N/A | 8.8 HIGH |
An attacker can change the content of an SAP Commerce - versions 1905, 2005, 2105, 2011, 2205, login page through a manipulated URL. They can inject code that allows them to redirect submissions from the affected login form to their own server. This allows them to steal credentials and hijack accounts. A successful attack could compromise the Confidentiality, Integrity, and Availability of the system. | |||||
CVE-2019-6741 | 1 Samsung | 2 Galaxy S9, Galaxy S9 Firmware | 2022-10-12 | 5.8 MEDIUM | 9.3 CRITICAL |
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S9 prior to January 2019 Security Update (SMR-JAN-2019 - SVE-2018-13467). User interaction is required to exploit this vulnerability in that the target must connect to a wireless network. The specific flaw exists within the captive portal. By manipulating HTML, an attacker can force a page redirection. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7476. | |||||
CVE-2022-3438 | 1 Ikus-soft | 1 Rdiffweb | 2022-10-11 | N/A | 6.1 MEDIUM |
Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.0a4. | |||||
CVE-2022-29170 | 1 Grafana | 1 Grafana | 2022-10-07 | 4.9 MEDIUM | 8.5 HIGH |
Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to versions 7.5.16 and 8.5.3 allows someone to bypass these security configurations if a malicious datasource (running on an allowed host) returns an HTTP redirect to a forbidden host. The vulnerability only impacts Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource to Grafana which returns HTTP redirects. In this scenario, Grafana would blindly follow the redirects and potentially give secure information to the clients. Grafana Cloud is not impacted by this vulnerability. Versions 7.5.16 and 8.5.3 contain a patch for this issue. There are currently no known workarounds. | |||||
CVE-2020-13565 | 2 Open-emr, Phpgacl Project | 2 Openemr, Phpgacl | 2022-10-07 | 5.8 MEDIUM | 6.1 MEDIUM |
An open redirect vulnerability exists in the return_page redirection functionality of phpGACL 3.3.7, OpenEMR 5.0.2 and OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can redirect users to an arbitrary URL. An attacker can provide a crafted URL to trigger this vulnerability. | |||||
CVE-2022-28215 | 1 Sap | 1 Netweaver Abap | 2022-10-06 | 4.3 MEDIUM | 4.7 MEDIUM |
SAP NetWeaver ABAP Server and ABAP Platform - versions 740, 750, 787, allows an unauthenticated attacker to redirect users to a malicious site due to insufficient URL validation. This could lead to the user being tricked to disclose personal information. | |||||
CVE-2022-0283 | 1 Gitlab | 1 Gitlab | 2022-10-05 | 5.8 MEDIUM | 6.1 MEDIUM |
An issue has been discovered affecting GitLab versions prior to 13.5. An open redirect vulnerability was fixed in GitLab integration with Jira that a could cause the web application to redirect the request to the attacker specified URL. | |||||
CVE-2022-40083 | 1 Labstack | 1 Echo | 2022-09-29 | N/A | 9.6 CRITICAL |
Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF). |