Total
1377 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-16954 | 1 Oracle | 1 Webcenter Interaction | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The login function of the portal is vulnerable to insecure redirection (also called an open redirect). The in_hi_redirect parameter is not validated by the application after a successful login. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.
|
|||||
| CVE-2018-16761 | 1 Eventum Project | 1 Eventum | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
Eventum before 3.4.0 has an open redirect vulnerability.
|
|||||
| CVE-2018-16191 | 1 Ec-cube | 1 Ec-cube | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
Open redirect vulnerability in EC-CUBE (EC-CUBE 3.0.0, EC-CUBE 3.0.1, EC-CUBE 3.0.2, EC-CUBE 3.0.3, EC-CUBE 3.0.4, EC-CUBE 3.0.5, EC-CUBE 3.0.6, EC-CUBE 3.0.7, EC-CUBE 3.0.8, EC-CUBE 3.0.9, EC-CUBE 3.0.10, EC-CUBE 3.0.11, EC-CUBE 3.0.12, EC-CUBE 3.0.12-p1, EC-CUBE 3.0.13, EC-CUBE 3.0.14, EC-CUBE 3.0.15, EC-CUBE 3.0.16) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
|
|||||
| CVE-2018-16174 | 1 Thimpress | 1 Learnpress | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
Open redirect vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
|
|||||
| CVE-2018-15798 | 1 Pivotal Software | 1 Concourse | 2024-11-21 | 5.8 MEDIUM | 7.6 HIGH |
|
Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows redirects to untrusted websites. A remote unauthenticated attacker could convince a user to click on a link using the oAuth redirect link with an untrusted website and gain access to that user's access token in Concourse.
|
|||||
| CVE-2018-15683 | 1 Btiteam | 1 Xbtit | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in BTITeam XBTIT. The "returnto" parameter of the login page is vulnerable to an open redirect due to a lack of validation. If a user is already logged in when accessing the page, they will be instantly redirected.
|
|||||
| CVE-2018-15493 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
vBulletin 5.4.3 has an Open Redirect.
|
|||||
| CVE-2018-15403 | 1 Cisco | 4 Emergency Responder, Unified Communications Manager, Unified Communications Manager Im And Presence Service and 1 more | 2024-11-21 | 4.9 MEDIUM | 5.4 MEDIUM |
|
A vulnerability in the web interface of Cisco Emergency Responder, Cisco Unified Communications Manager, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an authenticated, remote attacker to redirect a user to a malicious web page. The vulnerability is due to improper input validation of the parameters of an HTTP request. An attacker could exploit this vulnerability by crafting an HTTP request that causes the web interface to redirect a request t ...
Show More |
|||||
| CVE-2018-15180 | 1 Qasymphony | 1 Qtest Manager | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
qTest Portal in QASymphony qTest Manager 9.0.0 has an Open Redirect via the /portal/loginform redirect parameter.
|
|||||
| CVE-2018-15178 | 1 Gogs | 1 Gogs | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go.
|
|||||
| CVE-2018-14931 | 1 Polarisft | 1 Intellect Core Banking | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in the Core and Portal modules in Polaris FT Intellect Core Banking 9.7.1. An open redirect exists via a /IntellectMain.jsp?IntellectSystem= URI.
|
|||||
| CVE-2018-14658 | 1 Redhat | 1 Keycloak | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack
|
|||||
| CVE-2018-14574 | 3 Canonical, Debian, Djangoproject | 3 Ubuntu Linux, Debian Linux, Django | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
|
|||||
| CVE-2018-14474 | 1 Goodoldweb | 1 Orange Forum | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
views/auth.go in Orange Forum 1.4.0 allows Open Redirection via the next parameter to /login or /signup.
|
|||||
| CVE-2018-14398 | 1 Cremecrm | 1 Cremecrm | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in Creme CRM 1.6.12. The value of the cancel button uses the content of the HTTP Referer header, and could be used to trick a user into visiting a fake login page in order to steal credentials.
|
|||||
| CVE-2018-14381 | 1 Pagekit | 1 Pagekit | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
Pagekit before 1.0.14 has a /user/login?redirect= open redirect vulnerability.
|
|||||
| CVE-2018-14366 | 2 Ivanti, Pulsesecure | 3 Connect Secure, Pulse Connect Secure, Pulse Policy Secure | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
download.cgi in Pulse Secure Pulse Connect Secure 8.1RX before 8.1R13 and 8.3RX before 8.3R4 and Pulse Policy Secure through 5.2RX before 5.2R10 and 5.4RX before 5.4R4 have an Open Redirect Vulnerability.
|
|||||
| CVE-2018-13813 | 1 Siemens | 22 Simatic Hmi Comfort Outdoor Panels, Simatic Hmi Comfort Outdoor Panels Firmware, Simatic Hmi Comfort Panels and 19 more | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
|
A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" (All versions < V15 Update 4), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V15 Update 4), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F (All versions < V15 Update 4), SIMATIC WinCC Runtime Advanced (All versions < V15 Update 4), SIMATIC WinCC Runtime Professional (All versions < V15 Update 4), SIMATIC WinCC (TIA Portal) (All versions < V15 Update 4), SIMATIC HMI Classic Devices ...
Show More |
|||||
| CVE-2018-13402 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability.
|
|||||
| CVE-2018-13401 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allows remote attackers to obtain a user's Cross-site request forgery (CSRF) token through an open redirect vulnerability.
|
|||||
| CVE-2018-13384 | 1 Fortinet | 1 Fortios | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
A Host Header Redirection vulnerability in Fortinet FortiOS all versions below 6.0.5 under SSL VPN web portal allows a remote attacker to potentially poison HTTP cache and subsequently redirect SSL VPN web portal users to arbitrary web domains.
|
|||||
| CVE-2018-13257 | 1 Blackboard | 1 Blackboard Learn | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
The bb-auth-provider-cas authentication module within Blackboard Learn 2018-07-02 is susceptible to HTTP host header spoofing during Central Authentication Service (CAS) service ticket validation, enabling a phishing attack from the CAS server login page.
|
|||||
| CVE-2018-12675 | 1 Sv3c | 4 H.264 Poe Ip Camera Firmware, Sv-b01poe-1080p-l, Sv-b11vpoe-1080p-l and 1 more | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) does not perform origin checks on URLs that the camera's web interface redirects a user to. This can be leveraged to send a user to an unexpected endpoint.
|
|||||
| CVE-2018-12621 | 1 Eventum Project | 1 Eventum | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
An issue was discovered in Eventum 3.5.0. /htdocs/switch.php has an Open Redirect via the current_page parameter.
|
|||||
| CVE-2018-12300 | 1 Seagate | 1 Nas Os | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter.
|
|||||
| CVE-2018-11784 | 6 Apache, Canonical, Debian and 3 more | 15 Tomcat, Ubuntu Linux, Debian Linux and 12 more | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
|
|||||
| CVE-2018-11408 | 2 Debian, Sensiolabs | 2 Debian Linux, Symfony | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.
|
|||||
| CVE-2018-11119 | 1 Ilias | 1 Ilias | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
ILIAS 5.1.x, 5.2.x, and 5.3.x before 5.3.5 redirects a logged-in user to a third-party site via the return_to_url parameter.
|
|||||
| CVE-2018-11067 | 2 Dell, Vmware | 3 Emc Avamar, Emc Integrated Data Protection Appliance, Vsphere Data Protection | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
Dell EMC Avamar Client Manager in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1, 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2 contain an open redirection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phish ...
Show More |
|||||
| CVE-2018-11041 | 1 Pivotal Software | 2 Cloud Foundry Uaa, Cloud Foundry Uaa-release | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0 except 4.10.1 and 4.7.5 and uaa-release versions later than v48 and prior to v60 except v55.1 and v52.9, does not validate redirect URL values on a form parameter used for internal UAA redirects on the login page, allowing open redirects. A remote attacker can craft a malicious link that, when clicked, will redirect users to arbitrary websites after a successful login attempt.
|
|||||
| CVE-2018-10678 | 1 Mybb | 1 Mybb | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks.
|
|||||
| CVE-2018-10651 | 1 Citrix | 1 Xenmobile Server | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
There are Open Redirect Vulnerabilities in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.
|
|||||
| CVE-2018-10101 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.
|
|||||
| CVE-2018-10100 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.
|
|||||
| CVE-2018-1002102 | 2 Fedoraproject, Kubernetes | 2 Fedora, Kubernetes | 2024-11-21 | 2.1 LOW | 2.6 LOW |
|
Improper validation of URL redirection in the Kubernetes API server in versions prior to v1.14.0 allows an attacker-controlled Kubelet to redirect API server requests from streaming endpoints to arbitrary hosts. Impacted API servers will follow the redirect as a GET request with client-certificate credentials for authenticating to the Kubelet.
|
|||||
| CVE-2018-1000671 | 2 Debian, Sympa | 2 Debian Linux, Sympa | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
sympa version 6.2.16 and later contains a CWE-601: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in The "referer" parameter of the wwsympa.fcgi login action. that can result in Open redirection and reflected XSS via data URIs. This attack appear to be exploitable via Victim's browser must follow a URL supplied by the attacker. This vulnerability appears to have been fixed in none available.
|
|||||
| CVE-2018-1000504 | 1 Redirection | 1 Redirection | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
|
Redirection version 2.7.3 contains a ACE via file inclusion vulnerability in Pass-through mode that can result in allows admins to execute any PHP file in the filesystem. This attack appear to be exploitable via Attacker must be have access to an admin account on the target site. This vulnerability appears to have been fixed in 2.8.
|
|||||
| CVE-2018-1000174 | 1 Jenkins | 1 Google Login | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
An open redirect vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows attackers to redirect users to an arbitrary URL after successful login.
|
|||||
| CVE-2018-0924 | 1 Microsoft | 1 Exchange Server | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 20, Microsoft Exchange Server 2013 Cumulative Update 18, Microsoft Exchange Server 2013 Cumulative Update 19, Microsoft Exchange Server 2013 Service Pack 1, Microsoft Exchange Server 2016 Cumulative Update 7, and Microsoft Exchange Server 2016 Cumulative Update 8 allow an information disclosure vulnerability due to how URL redirects are handled, aka "Microsoft Exchange Information Disclosure Vulnerability". This CVE is unique from CVE-2 ...
Show More |
|||||
| CVE-2018-0688 | 1 Epson | 116 Ds-570w, Ds-570w Firmware, Ds-780n and 113 more | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
Open redirect vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions released prior to 2018 March 13, EP-10VA firmware versions released prior to 2017 September 4, EP-30VA firmware versions released prior to 2017 June 19, EP-707A firmware versions released prior to 2017 August 1, EP-708A firmware versions released prior to 2017 August 7, EP-709A firmware versions released prior to 2017 June 12, EP-777A firmware ver ...
Show More |
|||||