Total
1129 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-27463 | 1 Wwbn | 1 Avideo | 2024-11-21 | 6.1 Medium |
| Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a crafted url to the login page. | ||||
| CVE-2022-27461 | 1 Nopcommerce | 1 Nopcommerce | 2024-11-21 | 6.1 Medium |
| In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link. | ||||
| CVE-2022-27256 | 1 Hubzilla | 1 Hubzilla | 2024-11-21 | 6.1 Medium |
| A PHP Local File inclusion vulnerability in the Redbasic theme for Hubzilla before version 7.2 allows remote attackers to include arbitrary php files via the schema parameter. | ||||
| CVE-2022-27110 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 5.4 Medium |
| OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint. | ||||
| CVE-2022-27109 | 1 Orangehrm | 1 Orangehrm | 2024-11-21 | 5.4 Medium |
| OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability. | ||||
| CVE-2022-27090 | 1 Chshcms | 1 Cscms | 2024-11-21 | 5.4 Medium |
| Cscms Music Portal System v4.2 was discovered to contain a redirection vulnerability via the backurl parameter. | ||||
| CVE-2022-26954 | 1 Nopcommerce | 1 Nopcommerce | 2024-11-21 | 6.1 Medium |
| Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl parameter, processed by the (1) ChangePassword function, (2) SignInCustomerAsync function, (3) SuccessfulAuthentication method, or (4) NopRedirectResultExecutor class. | ||||
| CVE-2022-26950 | 1 Rsa | 1 Archer | 2024-11-21 | 5.4 Medium |
| Archer 6.x through 6.9 P2 (6.9.0.2) is affected by an open redirect vulnerability. A remote unprivileged attacker may potentially redirect legitimate users to arbitrary web sites and conduct phishing attacks. The attacker could then steal the victims' credentials and silently authenticate them to the Archer application without the victims realizing an attack occurred. | ||||
| CVE-2022-26326 | 1 Microfocus | 1 Netiq Access Manager | 2024-11-21 | 4 Medium |
| Potential open redirection vulnerability when URL is crafted in specific format in NetIQ Access Manager prior to 5.0.2 | ||||
| CVE-2022-26158 | 1 Cherwell | 1 Cherwell Service Management | 2024-11-21 | 6.1 Medium |
| An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. It accepts and reflects arbitrary domains supplied via a client-controlled Host header. Injection of a malicious URL in the Host: header of the HTTP Request results in a 302 redirect to an attacker-controlled page. | ||||
| CVE-2022-26156 | 1 Cherwell | 1 Cherwell Service Management | 2024-11-21 | 6.1 Medium |
| An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. Injection of a malicious payload within the RelayState= parameter of the HTTP request body results in the hijacking of the form action. Form-action hijacking vulnerabilities arise when an application places user-supplied input into the action URL of an HTML form. An attacker can use this vulnerability to construct a URL that, if visited by another application user, will modify the action URL of a form to point to the attacker's server. | ||||
| CVE-2022-25803 | 1 Bestpractical | 1 Request Tracker | 2024-11-21 | 6.1 Medium |
| Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search. | ||||
| CVE-2022-25799 | 1 Cert | 1 Vince | 2024-11-21 | 6.1 Medium |
| An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user's browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user's credentials. | ||||
| CVE-2022-25295 | 1 Getgophish | 1 Gophish | 2024-11-21 | 5.4 Medium |
| This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parse(r.FormValue("next")) to extract path and eventually redirect user to a relative URL, but if next parameter starts with multiple backslashes like \\\\\\example.com, browser will redirect user to http://example.com. | ||||
| CVE-2022-25196 | 1 Jenkins | 1 Gitlab Authentication | 2024-11-21 | 5.4 Medium |
| Jenkins GitLab Authentication Plugin 1.13 and earlier records the HTTP Referer header as part of the URL query parameters when the authentication process starts, allowing attackers with access to Jenkins to craft a URL that will redirect users to an attacker-specified URL after logging in. | ||||
| CVE-2022-24969 | 1 Apache | 1 Dubbo | 2024-11-21 | 6.1 Medium |
| bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability. | ||||
| CVE-2022-24887 | 1 Nextcloud | 1 Talk | 2024-11-21 | 4.3 Medium |
| Nextcloud Talk is a video and audio conferencing app for Nextcloud, a self-hosted productivity platform. Prior to versions 11.3.4, 12.2.2, and 13.0.0, when sharing a Deck card in conversation, the metaData can be manipulated so users can be tricked into opening arbitrary URLs. This issue is fixed in versions 11.3.4, 12.2.2, and 13.0.0. There are currently no known workarounds. | ||||
| CVE-2022-24858 | 1 Nextauth.js | 1 Next-auth | 2024-11-21 | 6.1 Medium |
| next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`. | ||||
| CVE-2022-24794 | 1 Auth0 | 1 Express Openid Connect | 2024-11-21 | 7.5 High |
| Express OpenID Connect is an Express JS middleware implementing sign on for Express web apps using OpenID Connect. Users of the `requiresAuth` middleware, either directly or through the default `authRequired` option, are vulnerable to an Open Redirect when the middleware is applied to a catch all route. If all routes under `example.com` are protected with the `requiresAuth` middleware, a visit to `http://example.com//google.com` will be redirected to `google.com` after login because the original url reported by the Express framework is not properly sanitized. This vulnerability affects versions prior to 2.7.2. Users are advised to upgrade. There are no known workarounds. | ||||
| CVE-2022-24739 | 1 Alltube Project | 1 Alltube | 2024-11-21 | 7.3 High |
| alltube is an html front end for youtube-dl. On releases prior to 3.0.3, an attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack (depending on how AllTube is configured). The impact is mitigated by the fact the SSRF attack is only possible when the `stream` option is enabled in the configuration. (This option is disabled by default.) 3.0.3 contains a fix for this vulnerability. | ||||