Total
1159 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-6932 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site. | |||||
| CVE-2017-5871 | 1 Odoo | 1 Odoo | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| Odoo Version <= 8.0-20160726 and Version 9 is affected by: CWE-601: Open redirection. The impact is: obtain sensitive information (remote). | |||||
| CVE-2017-5389 | 1 Mozilla | 1 Firefox | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| WebExtensions could use the "mozAddonManager" API by modifying the CSP headers on sites with the appropriate permissions and then using host requests to redirect script loads to a malicious site. This allows a malicious extension to then install additional extensions without explicit user permission. This vulnerability affects Firefox < 51. | |||||
| CVE-2017-2166 | 1 Groupsession | 1 Groupsession | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in GroupSession version 4.7.0 and earlier allows an attacker to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2017-20164 | 1 Symbiote | 1 Seed | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in Symbiote Seed up to 6.0.2. It has been classified as critical. Affected is the function onBeforeSecurityLogin of the file code/extensions/SecurityLoginExtension.php of the component Login. The manipulation of the argument URL leads to open redirect. It is possible to launch the attack remotely. Upgrading to version 6.0.3 is able to address this issue. The patch is identified as b065ebd82da53009d273aa7e989191f701485244. It is recommended to upgrade the affected component. VDB-217626 is the identifier assigned to this vulnerability. | |||||
| CVE-2017-20119 | 1 Trueconf | 1 Server | 2024-11-21 | 5.8 MEDIUM | 3.5 LOW |
| A vulnerability classified as problematic has been found in TrueConf Server 4.3.7. This affects an unknown part of the file /admin/general/change-lang. The manipulation of the argument redirect_url leads to open redirect. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2017-1748 | 1 Ibm | 1 Connections | 2024-11-21 | 5.8 MEDIUM | 6.8 MEDIUM |
| IBM Connections 5.0, 5.5, and 6.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 135521. | |||||
| CVE-2017-1668 | 1 Ibm | 1 Security Key Lifecycle Manager | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 133562. | |||||
| CVE-2017-1534 | 1 Ibm | 6 Security Access Manager Appliance, Security Access Manager Firmware, Security Access Manager For Mobile and 3 more | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| IBM Security Access Manager Appliance 8.0.0 and 9.0.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 130676. | |||||
| CVE-2017-18897 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection. | |||||
| CVE-2017-18891 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link. | |||||
| CVE-2017-18441 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 4.0 MEDIUM | 5.0 MEDIUM |
| cPanel before 64.0.21 allows demo accounts to redirect web traffic (SEC-245). | |||||
| CVE-2017-18414 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
| cPanel before 67.9999.103 allows an open redirect in /unprotected/redirect.html (SEC-300). | |||||
| CVE-2017-18262 | 1 Blackboard | 1 Blackboard Learn | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Blackboard Learn (Since at least 17th of October 2017) has allowed Unvalidated Redirects on any signed-in user through its endpoints for handling Shibboleth logins, as demonstrated by a webapps/bb-auth-provider-shibboleth-BBLEARN/execute/shibbolethLogin?returnUrl= URI. | |||||
| CVE-2017-18178 | 1 Progress | 1 Sitefinity | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target, if the target is specified using a certain %40 syntax. This is fixed in 10.1. | |||||
| CVE-2017-18109 | 1 Atlassian | 1 Crowd | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect. | |||||
| CVE-2017-16652 | 2 Debian, Sensiolabs | 2 Debian Linux, Symfony | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks. | |||||
| CVE-2017-16224 | 1 St Project | 1 St | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used. Mitigating factor: In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e"). | |||||
| CVE-2017-15419 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Insufficient policy enforcement in Resource Timing API in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to infer browsing history by triggering a leaked cross-origin URL via a crafted HTML page. | |||||
| CVE-2017-14802 | 1 Netiq | 1 Access Manager | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| Novell Access Manager Admin Console and IDP servers before 4.3.3 have a URL that could be used by remote attackers to trigger unvalidated redirects to third party sites. | |||||