Total
1050 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-32645 | 1 Tenancy | 1 Multi-tenant | 2024-08-03 | 6.1 Medium |
| Tenancy multi-tenant is an open source multi-domain controller for the Laravel web framework. In some situations, it is possible to have open redirects where users can be redirected from your site to any other site using a specially crafted URL. This is only the case for installations where the default Hostname Identification is used and the environment uses tenants that have `force_https` set to `true` (default: `false`). Version 5.7.2 contains the relevant patches to fix this bug. Stripping the URL from special characters to prevent specially crafted URL's from being redirected to. As a work around users can set the `force_https` to every tenant to `false`, however this may degrade connection security. | ||||
| CVE-2021-32618 | 1 Flask-security Project | 1 Flask-security | 2024-08-03 | 3.1 Low |
| The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is an independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. All versions of Flask-Security-Too allow redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com will pass FS's relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user, using a legitimate site and have it redirect to whatever site they want. This is considered a low severity due to the fact that if Werkzeug is used (which is very common with Flask applications) as the WSGI layer, it by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the 'autocorrect_location_header=False`. | ||||
| CVE-2021-32478 | 1 Moodle | 1 Moodle | 2024-08-03 | 6.1 Medium |
| The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected. | ||||
| CVE-2021-31879 | 3 Broadcom, Gnu, Netapp | 8 Brocade Fabric Operating System Firmware, Wget, 500f and 5 more | 2024-08-03 | 6.1 Medium |
| GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007. | ||||
| CVE-2021-31252 | 1 Chiyu-tech | 28 Bf-430, Bf-430 Firmware, Bf-431 and 25 more | 2024-08-03 | 6.1 Medium |
| An open redirect vulnerability exists in BF-630, BF-450M, BF-430, BF-431, BF631-W, BF830-W, Webpass, and SEMAC devices from CHIYU Technology that can be exploited by sending a link that has a specially crafted URL to convince the user to click on it. | ||||
| CVE-2021-30888 | 2 Apple, Redhat | 7 Ipad Os, Ipados, Iphone Os and 4 more | 2024-08-03 | 7.4 High |
| An information leakage issue was addressed. This issue is fixed in iOS 15.1 and iPadOS 15.1, macOS Monterey 12.0.1, iOS 14.8.1 and iPadOS 14.8.1, tvOS 15.1, watchOS 8.1. A malicious website using Content Security Policy reports may be able to leak information via redirect behavior . | ||||
| CVE-2021-28861 | 3 Fedoraproject, Python, Redhat | 4 Fedora, Python, Enterprise Linux and 1 more | 2024-08-03 | 7.4 High |
| Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks." | ||||
| CVE-2021-29651 | 1 Pomerium | 1 Pomerium | 2024-08-03 | 6.1 Medium |
| Pomerium before 0.13.4 has an Open Redirect (issue 1 of 2). | ||||
| CVE-2021-29652 | 1 Pomerium | 1 Pomerium | 2024-08-03 | 6.1 Medium |
| Pomerium from version 0.10.0-0.13.3 has an Open Redirect in the user sign-in/out process | ||||
| CVE-2021-29622 | 2 Prometheus, Redhat | 2 Prometheus, Openshift | 2024-08-03 | 6.5 Medium |
| Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus. | ||||
| CVE-2021-29456 | 1 Authelia | 1 Authelia | 2024-08-03 | 5.7 Medium |
| Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to any domain, including potentially malicious sites. This security issue does not directly impact the security of the web application itself. As a workaround, one can use a reverse proxy to strip the query parameter from the affected endpoint. There is a patch for version 4.28.0. | ||||
| CVE-2021-29217 | 1 Hpe | 1 Oneview Global Dashboard | 2024-08-03 | 6.1 Medium |
| A remote URL redirection vulnerability was discovered in HPE OneView Global Dashboard version(s): Prior to 2.5. HPE has provided a software update to resolve this vulnerability in HPE OneView Global Dashboard. | ||||
| CVE-2021-29137 | 1 Arubanetworks | 1 Airwave | 2024-08-03 | 6.1 Medium |
| A remote URL redirection vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. | ||||
| CVE-2021-28125 | 1 Apache | 1 Superset | 2024-08-03 | 6.1 Medium |
| Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link. | ||||
| CVE-2021-27612 | 1 Sap | 1 Gui For Windows | 2024-08-03 | 6.1 Medium |
| In specific situations SAP GUI for Windows until and including 7.60 PL9, 7.70 PL0, forwards a user to specific malicious website which could contain malware or might lead to phishing attacks to steal credentials of the victim. | ||||
| CVE-2021-27515 | 2 Redhat, Url-parse Project | 2 Quay, Url-parse | 2024-08-03 | 5.3 Medium |
| url-parse before 1.5.0 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path. | ||||
| CVE-2021-27404 | 1 Asus | 2 Askey Rtf8115vw, Askey Rtf8115vw Firmware | 2024-08-03 | 6.1 Medium |
| Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow injection of a Host HTTP header. | ||||
| CVE-2021-27352 | 1 Ilch | 1 Ilch Cms | 2024-08-03 | 5.4 Medium |
| An open redirect vulnerability in Ilch CMS version 2.1.42 allows attackers to redirect users to an attacker's site after a successful login. | ||||
| CVE-2021-25655 | 1 Avaya | 1 Aura Experience Portal | 2024-08-03 | 4.4 Medium |
| A vulnerability in the system Service Menu component of Avaya Aura Experience Portal may allow URL Redirection to any untrusted site through a crafted attack. Affected versions include 7.0 through 7.2.3 (without hotfix) and 8.0.0 (without hotfix). | ||||
| CVE-2021-25757 | 1 Jetbrains | 1 Hub | 2024-08-03 | 6.1 Medium |
| In JetBrains Hub before 2020.1.12629, an open redirect was possible. | ||||