Total
1050 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-26326 | 1 Microfocus | 1 Netiq Access Manager | 2024-08-03 | 4 Medium |
| Potential open redirection vulnerability when URL is crafted in specific format in NetIQ Access Manager prior to 5.0.2 | ||||
| CVE-2022-26156 | 1 Cherwell | 1 Cherwell Service Management | 2024-08-03 | 6.1 Medium |
| An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. Injection of a malicious payload within the RelayState= parameter of the HTTP request body results in the hijacking of the form action. Form-action hijacking vulnerabilities arise when an application places user-supplied input into the action URL of an HTML form. An attacker can use this vulnerability to construct a URL that, if visited by another application user, will modify the action URL of a form to point to the attacker's server. | ||||
| CVE-2022-26158 | 1 Cherwell | 1 Cherwell Service Management | 2024-08-03 | 6.1 Medium |
| An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. It accepts and reflects arbitrary domains supplied via a client-controlled Host header. Injection of a malicious URL in the Host: header of the HTTP Request results in a 302 redirect to an attacker-controlled page. | ||||
| CVE-2022-25803 | 1 Bestpractical | 1 Request Tracker | 2024-08-03 | 6.1 Medium |
| Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search. | ||||
| CVE-2022-25196 | 1 Jenkins | 1 Gitlab Authentication | 2024-08-03 | 5.4 Medium |
| Jenkins GitLab Authentication Plugin 1.13 and earlier records the HTTP Referer header as part of the URL query parameters when the authentication process starts, allowing attackers with access to Jenkins to craft a URL that will redirect users to an attacker-specified URL after logging in. | ||||
| CVE-2022-24969 | 1 Apache | 1 Dubbo | 2024-08-03 | 6.1 Medium |
| bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability. | ||||
| CVE-2022-24887 | 1 Nextcloud | 1 Talk | 2024-08-03 | 4.3 Medium |
| Nextcloud Talk is a video and audio conferencing app for Nextcloud, a self-hosted productivity platform. Prior to versions 11.3.4, 12.2.2, and 13.0.0, when sharing a Deck card in conversation, the metaData can be manipulated so users can be tricked into opening arbitrary URLs. This issue is fixed in versions 11.3.4, 12.2.2, and 13.0.0. There are currently no known workarounds. | ||||
| CVE-2022-24858 | 1 Nextauth.js | 1 Next-auth | 2024-08-03 | 6.1 Medium |
| next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`. | ||||
| CVE-2022-24776 | 1 Flask-appbuilder Project | 1 Flask-appbuilder | 2024-08-03 | 6.1 Medium |
| Flask-AppBuilder is an application development framework, built on top of the Flask web framework. Flask-AppBuilder contains an open redirect vulnerability when using database authentication login page on versions below 3.4.5. This issue is fixed in version 3.4.5. There are currently no known workarounds. | ||||
| CVE-2022-24794 | 1 Auth0 | 1 Express Openid Connect | 2024-08-03 | 7.5 High |
| Express OpenID Connect is an Express JS middleware implementing sign on for Express web apps using OpenID Connect. Users of the `requiresAuth` middleware, either directly or through the default `authRequired` option, are vulnerable to an Open Redirect when the middleware is applied to a catch all route. If all routes under `example.com` are protected with the `requiresAuth` middleware, a visit to `http://example.com//google.com` will be redirected to `google.com` after login because the original url reported by the Express framework is not properly sanitized. This vulnerability affects versions prior to 2.7.2. Users are advised to upgrade. There are no known workarounds. | ||||
| CVE-2022-24739 | 1 Alltube Project | 1 Alltube | 2024-08-03 | 7.3 High |
| alltube is an html front end for youtube-dl. On releases prior to 3.0.3, an attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack (depending on how AllTube is configured). The impact is mitigated by the fact the SSRF attack is only possible when the `stream` option is enabled in the configuration. (This option is disabled by default.) 3.0.3 contains a fix for this vulnerability. | ||||
| CVE-2022-24330 | 1 Jetbrains | 1 Teamcity | 2024-08-03 | 6.1 Medium |
| In JetBrains TeamCity before 2021.2.1, a redirection to an external site was possible. | ||||
| CVE-2022-23618 | 1 Xwiki | 1 Xwiki | 2024-08-03 | 4.7 Medium |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is no protection against URL redirection to untrusted sites, in particular some well known parameters (xredirect) can be used to perform url redirections. This problem has been patched in XWiki 12.10.7 and XWiki 13.3RC1. Users are advised to update. There are no known workarounds for this issue. | ||||
| CVE-2022-23599 | 1 Plone | 1 Plone | 2024-08-03 | 4.3 Medium |
| Products.ATContentTypes are the core content types for Plone 2.1 - 4.3. Versions of Plone that are dependent on Products.ATContentTypes prior to version 3.0.6 are vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscreen page in a cache, for example in Varnish. The technique is known as cache poisoning. Any later visitor can get redirected when clicking on a link on this page. Usually only anonymous users are affected, but this depends on the user's cache settings. Version 3.0.6 of Products.ATContentTypes has been released with a fix. This version works on Plone 5.2, Python 2 only. As a workaround, make sure the image_view_fullscreen page is not stored in the cache. More information about the vulnerability and cvmitigation measures is available in the GitHub Security Advisory. | ||||
| CVE-2022-23527 | 3 Debian, Openidc, Redhat | 3 Debian Linux, Mod Auth Openidc, Enterprise Linux | 2024-08-03 | 4.7 Medium |
| mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server. Versions prior to 2.4.12.2 are vulnerable to Open Redirect. When providing a logout parameter to the redirect URI, the existing code in oidc_validate_redirect_url() does not properly check for URLs that start with /\t, leading to an open redirect. This issue has been patched in version 2.4.12.2. Users unable to upgrade can mitigate the issue by configuring mod_auth_openidc to only allow redirection when the destination matches a given regular expression with OIDCRedirectURLsAllowed. | ||||
| CVE-2022-23184 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2024-08-03 | 6.1 Medium |
| In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects. | ||||
| CVE-2022-23237 | 1 Netapp | 1 E-series Santricity Os Controller | 2024-08-03 | 6.1 Medium |
| E-Series SANtricity OS Controller Software 11.x versions through 11.70.2 are vulnerable to host header injection attacks that could allow an attacker to redirect users to malicious websites. | ||||
| CVE-2022-23102 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-08-03 | 6.1 Medium |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0). Affected products contain an open redirect vulnerability. An attacker could trick a valid authenticated user to the device into clicking a malicious link there by leading to phishing attacks. | ||||
| CVE-2022-22919 | 1 Adenza | 1 Axiomsl Controllerview | 2024-08-03 | 6.1 Medium |
| Adenza AxiomSL ControllerView through 10.8.1 allows redirection for SSO login URLs. | ||||
| CVE-2022-21651 | 1 Shopware | 1 Shopware | 2024-08-03 | 6.8 Medium |
| Shopware is an open source e-commerce software platform. An open redirect vulnerability has been discovered. Users may be arbitrary redirected due to incomplete URL handling in the shopware router. This issue has been resolved in version 5.7.7. There is no workaround and users are advised to upgrade as soon as possible. | ||||