Total
1018 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-21337 | 1 Zope | 1 Products.pluggableauthservice | 2024-11-21 | 5.8 MEDIUM | 5.7 MEDIUM |
| Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an open redirect vulnerability. A maliciously crafted link to the login form and login functionality could redirect the browser to a different website. The problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1` and re-run the buildout, or if you used `pip` simply do `pip install "Products.PluggableAuthService>=2.6.1". | |||||
| CVE-2021-21330 | 3 Aiohttp, Debian, Fedoraproject | 3 Aiohttp, Debian Linux, Fedora | 2024-11-21 | 5.8 MEDIUM | 3.1 LOW |
| aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications. | |||||
| CVE-2021-21291 | 1 Oauth2 Proxy Project | 1 Oauth2 Proxy | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| OAuth2 Proxy is an open-source reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. In OAuth2 Proxy before version 7.0.0, for users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect. For example, if a whitelist domain was configured for ".example.com", the intention is that subdomains of example.com are allowed. Instead, "example.com" and "badexample.com" could also match. This is fixed in version 7.0.0 onwards. As a workaround, one can disable the whitelist domain feature and run separate OAuth2 Proxy instances for each subdomain. | |||||
| CVE-2021-21273 | 2 Fedoraproject, Matrix | 2 Fedora, Synapse | 2024-11-21 | 5.8 MEDIUM | 3.1 LOW |
| Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although limited modification of request bodies was possible. For the most thorough protection server administrators should remove the deprecated `federation_ip_range_blacklist` from their settings after upgrading to Synapse v1.25.0 which will result in Synapse using the improved default IP address restrictions. See the new `ip_range_blacklist` and `ip_range_whitelist` settings if more specific control is necessary. | |||||
| CVE-2021-20875 | 1 Groupsession | 1 Groupsession | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in GroupSession Free edition ver5.1.1 and earlier, GroupSession byCloud ver5.1.1 and earlier, and GroupSession ZION ver5.1.1 and earlier allows a remote unauthenticated attacker to redirect users to arbitrary web sites and conduct phishing attacks by having a user to access a specially crafted URL. | |||||
| CVE-2021-20806 | 1 Cybozu | 1 Remote Service Manager | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in Cybozu Remote Service 3.0.0 to 3.1.9 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2021-20789 | 1 Groupsession | 3 Groupsession, Groupsession Bycloud, Groupsession Zion | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in GroupSession (GroupSession Free edition from ver2.2.0 to the version prior to ver5.1.0, GroupSession byCloud from ver3.0.3 to the version prior to ver5.1.0, and GroupSession ZION from ver3.0.3 to the version prior to ver5.1.0) allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack via a specially crafted URL. | |||||
| CVE-2021-20534 | 2 Docker, Ibm | 2 Docker, Security Verify Access | 2024-11-21 | 4.9 MEDIUM | 3.5 LOW |
| IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 198814 | |||||
| CVE-2021-20105 | 1 Machform | 1 Machform | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Machform prior to version 16 is vulnerable to an open redirect in Safari_init.php due to an improperly sanitized 'ref' parameter. | |||||
| CVE-2021-20031 | 1 Sonicwall | 59 Nsa 2650, Nsa 2700, Nsa 3650 and 56 more | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| A Host Header Redirection vulnerability in SonicOS potentially allows a remote attacker to redirect firewall management users to arbitrary web domains. | |||||
| CVE-2021-1629 | 3 Linux, Microsoft, Tableau | 3 Linux Kernel, Windows, Tableau Server | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Tableau Server fails to validate certain URLs that are embedded in emails sent to Tableau Server users. | |||||
| CVE-2021-1525 | 1 Cisco | 2 Webex Meetings Online, Webex Meetings Server | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to redirect users to a malicious file. This vulnerability is due to improper validation of URL paths in the application interface. An attacker could exploit this vulnerability by persuading a user to follow a specially crafted URL that is designed to cause Cisco Webex Meetings to include a remote file in the web UI. A successful exploit could allow the attacker to cause the application to offer a remote file to a user, which could allow the attacker to conduct further phishing or spoofing attacks. | |||||
| CVE-2021-1500 | 1 Cisco | 2 Collaboration Meeting Rooms, Webex Video Mesh | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Webex Video Mesh could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of the URL parameters in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website. Attackers may use this type of vulnerability, known as an open redirect attack, as part of a phishing attack to persuade users to unknowingly visit malicious sites. | |||||
| CVE-2021-1397 | 1 Cisco | 48 C125 M5, C125 M5 Firmware, C220 M5 and 45 more | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of the parameters in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website. This vulnerability is known as an open redirect attack, which is used in phishing attacks to get users to visit malicious sites without their knowledge. | |||||
| CVE-2021-1358 | 1 Cisco | 1 Finesse | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to redirect a user to an undesired web page. This vulnerability is due to improper input validation of the URL parameters in an HTTP request that is sent to an affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to cause the interface to redirect the user to a specific, malicious URL. This type of vulnerability is known as an open redirect and is used in phishing attacks that get users to unknowingly visit malicious sites. | |||||
| CVE-2021-1310 | 1 Cisco | 1 Webex Meetings | 2024-11-21 | 4.3 MEDIUM | 4.7 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Webex Meetings could allow an unauthenticated, remote attacker to redirect a user to an untrusted web page, bypassing the warning mechanism that should prompt the user before the redirection. This vulnerability is due to improper input validation of the URL parameters in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website, bypassing the Webex URL check that should result in a warning before the redirection to the web page. Attackers may use this type of vulnerability, known as an open redirect attack, as part of a phishing attack to convince users to unknowingly visit malicious sites. | |||||
| CVE-2021-1218 | 1 Cisco | 1 Smart Software Manager On-prem | 2024-11-21 | 4.9 MEDIUM | 5.4 MEDIUM |
| A vulnerability in the web management interface of Cisco Smart Software Manager satellite could allow an authenticated, remote attacker to redirect a user to an undesired web page. The vulnerability is due to improper input validation of the URL parameters in an HTTP request that is sent to an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request that could cause the web application to redirect the request to a specified malicious URL. A successful exploit could allow the attacker to redirect a user to a malicious website. | |||||
| CVE-2020-9995 | 1 Apple | 1 Macos Server | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue existed in the parsing of URLs. This issue was addressed with improved input validation. This issue is fixed in macOS Server 5.11. Processing a maliciously crafted URL may lead to an open redirect or cross site scripting. | |||||
| CVE-2020-8559 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | 6.0 MEDIUM | 6.4 MEDIUM |
| The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise. | |||||
| CVE-2020-8430 | 1 Stormshield | 1 Stormshield Network Security | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Stormshield Network Security 310 3.7.10 devices have an auth/lang.html?rurl= Open Redirect vulnerability on the captive portal. For example, the attacker can use rurl=//example.com instead of rurl=https://example.com in the query string. | |||||