Total
742 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-24445 | 1 Jenkins | 1 Openid | 2023-02-02 | N/A | 6.1 MEDIUM |
Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. | |||||
CVE-2019-19709 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2023-02-01 | 5.8 MEDIUM | 6.1 MEDIUM |
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page. | |||||
CVE-2019-16220 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-01-31 | 5.8 MEDIUM | 6.1 MEDIUM |
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect. | |||||
CVE-2019-4201 | 1 Ibm | 1 Jazz For Service Management | 2023-01-30 | 5.8 MEDIUM | 6.1 MEDIUM |
IBM Jazz for Service Management 1.1.3, 1.1.3.1, and 1.1.3.2 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 159122. | |||||
CVE-2022-23538 | 1 Sylabs | 1 Singularity Container Services Library | 2023-01-30 | N/A | 7.6 HIGH |
github.com/sylabs/scs-library-client is the Go client for the Singularity Container Services (SCS) Container Library Service. When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider. This occurs in a specific flow, where the library service redirects the client to a backing S3 storage server, to perform a multi-part concurrent download. Depending on site configuration, the S3 service may be provided by a third party. An attacker with access to the S3 service may be able to extract user credentials, allowing them to impersonate the user. The vulnerable multi-part concurrent download flow, with redirect to S3, is only used when communicating with a Singularity Enterprise 1.x installation, or third party server implementing this flow. Interaction with Singularity Enterprise 2.x, and Singularity Container Services (cloud.sylabs.io), does not trigger the vulnerable flow. We encourage all users to update. Users who interact with a Singularity Enterprise 1.x installation, using a 3rd party S3 storage service, are advised to revoke and recreate their authentication tokens within Singularity Enterprise. There is no workaround available at this time. | |||||
CVE-2018-3743 | 1 Hekto Project | 1 Hekto | 2023-01-30 | 5.8 MEDIUM | 6.1 MEDIUM |
Open redirect in hekto <=0.2.3 when target domain name is used as html filename on server. | |||||
CVE-2022-3145 | 1 Okta | 1 Oidc Middleware | 2023-01-30 | N/A | 4.7 MEDIUM |
An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL. | |||||
CVE-2020-8559 | 1 Kubernetes | 1 Kubernetes | 2023-01-27 | 6.0 MEDIUM | 6.8 MEDIUM |
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise. | |||||
CVE-2015-10052 | 1 Gibb-modul-151 Project | 1 Gibb-modul-151 | 2023-01-24 | N/A | 6.1 MEDIUM |
** UNSUPPPORTED WHEN ASSIGNED **** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as problematic, was found in calesanz gibb-modul-151. This affects the function bearbeiten/login. The manipulation leads to open redirect. It is possible to initiate the attack remotely. The name of the patch is 88a517dc19443081210c804b655e72770727540d. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218379. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
CVE-2022-43721 | 1 Apache | 1 Superset | 2023-01-24 | N/A | 5.4 MEDIUM |
An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | |||||
CVE-2023-22958 | 1 Syracom | 1 Secure Login | 2023-01-23 | N/A | 6.1 MEDIUM |
The Syracom Secure Login plugin before 3.1.1.0 for Jira may allow spoofing of 2FA PIN validation via the plugins/servlet/twofactor/public/pinvalidation target parameter. | |||||
CVE-2022-39183 | 1 Moodle | 1 Saml Authentication | 2023-01-20 | N/A | 6.1 MEDIUM |
Moodle Plugin - SAML Auth may allow Open Redirect through unspecified vectors. | |||||
CVE-2023-0042 | 1 Gitlab | 1 Gitlab | 2023-01-20 | N/A | 6.1 MEDIUM |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.4 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2. GitLab Pages allows redirection to arbitrary protocols. | |||||
CVE-2017-20164 | 1 Symbiote | 1 Seed | 2023-01-12 | N/A | 6.1 MEDIUM |
A vulnerability was found in Symbiote Seed up to 6.0.2. It has been classified as critical. Affected is the function onBeforeSecurityLogin of the file code/extensions/SecurityLoginExtension.php of the component Login. The manipulation of the argument URL leads to open redirect. It is possible to launch the attack remotely. Upgrading to version 6.0.3 is able to address this issue. The name of the patch is b065ebd82da53009d273aa7e989191f701485244. It is recommended to upgrade the affected component. VDB-217626 is the identifier assigned to this vulnerability. | |||||
CVE-2022-3614 | 1 Octopus | 1 Octopus Deploy | 2023-01-10 | N/A | 6.1 MEDIUM |
In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation. | |||||
CVE-2021-30888 | 1 Apple | 6 Ipad Os, Ipados, Iphone Os and 3 more | 2023-01-09 | 4.3 MEDIUM | 7.4 HIGH |
An information leakage issue was addressed. This issue is fixed in iOS 15.1 and iPadOS 15.1, macOS Monterey 12.0.1, iOS 14.8.1 and iPadOS 14.8.1, tvOS 15.1, watchOS 8.1. A malicious website using Content Security Policy reports may be able to leak information via redirect behavior . | |||||
CVE-2022-45917 | 1 Ilias | 1 Ilias | 2023-01-06 | N/A | 6.1 MEDIUM |
ILIAS before 7.16 has an Open Redirect. | |||||
CVE-2022-4589 | 1 Django Terms And Conditions Project | 1 Django Terms And Conditions | 2023-01-06 | N/A | 6.1 MEDIUM |
A vulnerability has been found in cyface Terms and Conditions Module up to 2.0.9 and classified as problematic. Affected by this vulnerability is the function returnTo of the file termsandconditions/views.py. The manipulation leads to open redirect. The attack can be launched remotely. Upgrading to version 2.0.10 is able to address this issue. The name of the patch is 03396a1c2e0af95e12a45c5faef7e47a4b513e1a. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216175. | |||||
CVE-2022-38208 | 1 Esri | 1 Portal For Arcgis | 2023-01-05 | N/A | 6.1 MEDIUM |
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks. | |||||
CVE-2020-36627 | 1 Go-macaron | 1 I18n | 2023-01-05 | N/A | 6.1 MEDIUM |
A vulnerability was found in Macaron i18n. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file i18n.go. The manipulation leads to open redirect. The attack can be launched remotely. Upgrading to version 0.5.0 is able to address this issue. The name of the patch is 329b0c4844cc16a5a253c011b55180598e707735. It is recommended to upgrade the affected component. The identifier VDB-216745 was assigned to this vulnerability. |