Total
999 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-45402 | 1 Apache | 1 Airflow | 2024-02-28 | N/A | 6.1 MEDIUM |
| In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver's `/login` endpoint. | |||||
| CVE-2022-28755 | 1 Zoom | 2 Virtual Desktop Infrastructure, Zoom | 2024-02-28 | N/A | 6.1 MEDIUM |
| The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.11.0 are susceptible to a URL parsing vulnerability. If a malicious Zoom meeting URL is opened, the malicious link may direct the user to connect to an arbitrary network address, leading to additional attacks including the potential for remote code execution through launching executables from arbitrary paths. | |||||
| CVE-2021-3639 | 1 Uninett | 1 Mod Auth Mellon | 2024-02-28 | N/A | 6.1 MEDIUM |
| A flaw was found in mod_auth_mellon where it does not sanitize logout URLs properly. This issue could be used by an attacker to facilitate phishing attacks by tricking users into visiting a trusted web application URL that redirects to an external and potentially malicious server. The highest threat from this liability is to confidentiality and integrity. | |||||
| CVE-2022-28977 | 1 Liferay | 2 Dxp, Liferay Portal | 2024-02-28 | N/A | 6.1 MEDIUM |
| HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect. | |||||
| CVE-2022-31735 | 1 Osstech | 1 Openam | 2024-02-28 | N/A | 6.1 MEDIUM |
| OpenAM Consortium Edition version 14.0.0 provided by OpenAM Consortium contains an open redirect vulnerability (CWE-601). When accessing an affected server through some specially crafted URL, the user may be redirected to an arbitrary website. | |||||
| CVE-2022-26954 | 1 Nopcommerce | 1 Nopcommerce | 2024-02-28 | N/A | 6.1 MEDIUM |
| Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl parameter, processed by the (1) ChangePassword function, (2) SignInCustomerAsync function, (3) SuccessfulAuthentication method, or (4) NopRedirectResultExecutor class. | |||||
| CVE-2022-39814 | 1 Nokia | 1 1350 Optical Management System | 2024-02-28 | N/A | 6.1 MEDIUM |
| In NOKIA 1350 OMS R14.2, an Open Redirect vulnerability occurs is the login page via next HTTP GET parameter. | |||||
| CVE-2022-39359 | 1 Metabase | 1 Metabase | 2024-02-28 | N/A | 6.5 MEDIUM |
| Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable `MB_CUSTOM_GEOJSON_ENABLED` was also added to disable custom GeoJSON completely (`true` by default). | |||||
| CVE-2022-35953 | 1 Joinbookwyrm | 1 Bookwyrm | 2024-02-28 | N/A | 6.1 MEDIUM |
| BookWyrm is a social network for tracking your reading, talking about books, writing reviews, and discovering what to read next. Some links in BookWyrm may be vulnerable to tabnabbing, a form of phishing that gives attackers an opportunity to redirect a user to a malicious site. The issue was patched in version 0.4.5. | |||||
| CVE-2022-31151 | 1 Nodejs | 1 Undici | 2024-02-28 | N/A | 6.5 MEDIUM |
| Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. This was patched in v5.7.1. By default, this vulnerability is not exploitable. Do not enable redirections, i.e. `maxRedirections: 0` (the default). | |||||
| CVE-2022-25799 | 1 Cert | 1 Vince | 2024-02-28 | N/A | 6.1 MEDIUM |
| An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user's browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user's credentials. | |||||
| CVE-2022-39021 | 1 Edetw | 1 U-office Force | 2024-02-28 | N/A | 6.1 MEDIUM |
| U-Office Force login function has an Open Redirect vulnerability. An unauthenticated remote attacker can exploit this vulnerability to redirect user to arbitrary website. | |||||
| CVE-2022-30706 | 1 Twinkletoessoftware | 1 Booked | 2024-02-28 | N/A | 6.1 MEDIUM |
| Open redirect vulnerability in Booked versions prior to 3.3 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL. | |||||
| CVE-2022-31193 | 1 Duraspace | 1 Dspace | 2024-02-28 | N/A | 6.1 MEDIUM |
| DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice. This issue has been patched in versions 5.11 and 6.4. Users are advised to upgrade. There are no known workaround for this vulnerability. | |||||
| CVE-2022-43985 | 1 Apache | 1 Airflow | 2024-02-28 | N/A | 6.1 MEDIUM |
| In Apache Airflow versions prior to 2.4.2, there was an open redirect in the webserver's `/confirm` endpoint. | |||||
| CVE-2022-3438 | 1 Ikus-soft | 1 Rdiffweb | 2024-02-28 | N/A | 6.1 MEDIUM |
| Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.0a4. | |||||
| CVE-2022-41207 | 1 Sap | 1 Biller Direct | 2024-02-28 | N/A | 6.1 MEDIUM |
| SAP Biller Direct allows an unauthenticated attacker to craft a legitimate looking URL. When clicked by an unsuspecting victim, it will use an unsensitized parameter to redirect the victim to a malicious site of the attacker's choosing which can result in disclosure or modification of the victim's information. | |||||
| CVE-2022-31657 | 3 Linux, Microsoft, Vmware | 6 Linux Kernel, Windows, Access Connector and 3 more | 2024-02-28 | N/A | 9.8 CRITICAL |
| VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. A malicious actor with network access may be able to redirect an authenticated user to an arbitrary domain. | |||||
| CVE-2022-41215 | 1 Sap | 1 Netweaver Application Server Abap | 2024-02-28 | N/A | 4.7 MEDIUM |
| SAP NetWeaver ABAP Server and ABAP Platform allows an unauthenticated attacker to redirect users to a malicious site due to insufficient URL validation. This could lead to the user being tricked to disclose personal information. | |||||
| CVE-2022-25803 | 1 Bestpractical | 1 Request Tracker | 2024-02-28 | N/A | 6.1 MEDIUM |
| Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search. | |||||