Total
1050 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-24554 | 1 Liferay | 1 Liferay Portal | 2024-08-04 | 7.5 High |
| The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist. | ||||
| CVE-2020-24550 | 1 Episerver | 1 Find | 2024-08-04 | 6.1 Medium |
| An Open Redirect vulnerability in EpiServer Find before 13.2.7 allows an attacker to redirect users to untrusted websites via the _t_redirect parameter in a crafted URL, such as a /find_v2/_click URL. | ||||
| CVE-2020-23182 | 1 Php-fusion | 1 Php-fusion | 2024-08-04 | 5.4 Medium |
| The component /php-fusion/infusions/shoutbox_panel/shoutbox_archive.php in PHP-Fusion 9.03.60 allows attackers to redirect victim users to malicious websites via a crafted payload entered into the Shoutbox message panel. | ||||
| CVE-2020-22840 | 1 B2evolution | 1 B2evolution | 2024-08-04 | 6.1 Medium |
| Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php. | ||||
| CVE-2020-23015 | 1 Opnsense | 1 Opnsense | 2024-08-04 | 6.1 Medium |
| An open redirect issue was discovered in OPNsense through 20.1.5. The redirect parameter "url" in login page was not filtered and can redirect user to any website. | ||||
| CVE-2020-21998 | 1 Homeautomation Project | 1 Homeautomation | 2024-08-04 | 6.1 Medium |
| In HomeAutomation 3.3.2 input passed via the 'redirect' GET parameter in 'api.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. | ||||
| CVE-2020-21038 | 1 Typecho | 1 Typecho | 2024-08-04 | 6.1 Medium |
| Open redirect vulnerability in typecho 1.1-17.10.30-release via the referer parameter to Login.php. | ||||
| CVE-2020-18985 | 1 Synacor | 1 Zimbra Collaboration Suite | 2024-08-04 | 6.1 Medium |
| An issue in /domain/service/.ewell-known/caldav of Zimbra Collaboration 8.8.12 allows attackers to redirect users to any arbitrary website of their choosing. | ||||
| CVE-2020-18660 | 1 Get-simple | 1 Getsimplecms | 2024-08-04 | 6.1 Medium |
| GetSimpleCMS <=3.3.15 has an open redirect in admin/changedata.php via the redirect function to the url parameter. | ||||
| CVE-2020-18268 | 1 Zblogcn | 1 Z-blogphp | 2024-08-04 | 6.1 Medium |
| Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php." | ||||
| CVE-2020-17484 | 1 Uffizio | 1 Gps Tracker | 2024-08-04 | 6.1 Medium |
| An Open Redirection vulnerability exists in Uffizio's GPS Tracker all versions allows an attacker to construct a URL within the application that causes a redirection to an arbitrary external domain. | ||||
| CVE-2020-15677 | 4 Debian, Mozilla, Opensuse and 1 more | 8 Debian Linux, Firefox, Firefox Esr and 5 more | 2024-08-04 | 6.1 Medium |
| By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3. | ||||
| CVE-2020-15300 | 1 Salesagility | 1 Suitecrm | 2024-08-04 | 6.1 Medium |
| SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document. | ||||
| CVE-2020-15242 | 1 Vercel | 1 Next.js | 2024-08-04 | 4.7 Medium |
| Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain. The issue is fixed in version 9.5.4. | ||||
| CVE-2020-15234 | 1 Ory | 1 Fosite | 2024-08-04 | 6.1 Medium |
| ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite before version 0.34.1, the OAuth 2.0 Client's registered redirect URLs and the redirect URL provided at the OAuth2 Authorization Endpoint where compared using strings.ToLower while they should have been compared with a simple string match. This allows an attacker to register a client with allowed redirect URL https://example.com/callback. Then perform an OAuth2 flow and requesting redirect URL https://example.com/CALLBACK. Instead of an error (invalid redirect URL), the browser is redirected to https://example.com/CALLBACK with a potentially successful OAuth2 response, depending on the state of the overall OAuth2 flow (the user might still deny the request for example). This vulnerability has been patched in ORY Fosite v0.34.1. | ||||
| CVE-2020-15233 | 1 Ory | 1 Fosite | 2024-08-04 | 6.1 Medium |
| ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite from version 0.30.2 and before version 0.34.1, there is an issue in which an an attacker can override the registered redirect URL by performing an OAuth flow and requesting a redirect URL that is to the loopback adapter. Attackers can provide both custom URL query parameters to their loopback redirect URL, as well as actually overriding the host of the registered redirect URL. These attacks are only applicable in scenarios where the attacker has access over the loopback interface. This vulnerability has been patched in ORY Fosite v0.34.1. | ||||
| CVE-2020-15241 | 1 Typo3 | 2 Fluid Engine, Typo3 | 2024-08-04 | 4.7 Medium |
| TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1). | ||||
| CVE-2020-15129 | 1 Traefik | 1 Traefik | 2024-08-04 | 6.1 Medium |
| In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component doesn't validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios. | ||||
| CVE-2020-14454 | 1 Mattermost | 1 Mattermost Desktop | 2024-08-04 | 6.1 Medium |
| An issue was discovered in Mattermost Desktop App before 4.4.0. Attackers can open web pages in the desktop application because server redirection is mishandled, aka MMSA-2020-0008. | ||||
| CVE-2020-14446 | 1 Wso2 | 2 Identity Server, Identity Server As Key Manager | 2024-08-04 | 6.1 Medium |
| An issue was discovered in WSO2 Identity Server through 5.10.0 and WSO2 IS as Key Manager through 5.10.0. An open redirect exists. | ||||