Total
1250 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-3788 | 1 Cloudfoundry | 1 Uaa Release | 2024-11-21 | N/A |
| Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri. Given a UAA client was configured with a wildcard in the redirect uri's subdomain, a remote malicious unauthenticated user can craft a phishing link to get a UAA access code from the victim. | ||||
| CVE-2019-3778 | 2 Oracle, Pivotal Software | 2 Banking Corporate Lending, Spring Security Oauth | 2024-11-21 | 6.5 Medium |
| Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the "redirect_uri" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient). | ||||
| CVE-2019-3477 | 1 Microfocus | 1 Solutions Business Manager | 2024-11-21 | N/A |
| Micro Focus Solution Business Manager versions prior to 11.4.2 is susceptible to open redirect. | ||||
| CVE-2019-25155 | 1 Cure53 | 1 Dompurify | 2024-11-21 | 6.1 Medium |
| DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute. | ||||
| CVE-2019-20901 | 1 Atlassian | 2 Jira, Jira Server | 2024-11-21 | 6.1 Medium |
| The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter. | ||||
| CVE-2019-20479 | 5 Debian, Fedoraproject, Openidc and 2 more | 5 Debian Linux, Fedora, Mod Auth Openidc and 2 more | 2024-11-21 | 6.1 Medium |
| A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning. | ||||
| CVE-2019-20225 | 1 Mybb | 1 Mybb | 2024-11-21 | 6.1 Medium |
| MyBB before 1.8.22 allows an open redirect on login. | ||||
| CVE-2019-1486 | 1 Microsoft | 2 Visual Studio 2019, Visual Studio Live Share | 2024-11-21 | 6.1 Medium |
| A spoofing vulnerability exists in Visual Studio Live Share when a guest connected to a Live Share session is redirected to an arbitrary URL specified by the session host, aka 'Visual Studio Live Share Spoofing Vulnerability'. | ||||
| CVE-2019-1075 | 1 Microsoft | 1 Asp.net Core | 2024-11-21 | N/A |
| A spoofing vulnerability exists in ASP.NET Core that could lead to an open redirect, aka 'ASP.NET Core Spoofing Vulnerability'. | ||||
| CVE-2019-19775 | 1 Zulip | 1 Zulip Server | 2024-11-21 | 6.1 Medium |
| The image thumbnailing handler in Zulip Server versions 1.9.0 to before 2.0.8 allowed an open redirect that was visible to logged-in users. | ||||
| CVE-2019-19758 | 1 Lenovo | 4 Ez Media \& Backup Center Ix2, Ez Media \& Backup Center Ix2-dl, Ez Media \& Backup Center Ix2-dl Firmware and 1 more | 2024-11-21 | 6.1 Medium |
| A vulnerability in the web interface of Lenovo EZ Media & Backup Center, ix2 & ix2-dl version 4.1.406.34763 and prior could allow an unauthenticated, remote attacker to redirect a user to an untrusted web page. | ||||
| CVE-2019-19709 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-11-21 | 6.1 Medium |
| MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page. | ||||
| CVE-2019-19703 | 1 Jetbrains | 1 Ktor | 2024-11-21 | 6.1 Medium |
| In Ktor through 1.2.6, the client resends data from the HTTP Authorization header to a redirect location. | ||||
| CVE-2019-19613 | 1 Halvotec | 1 Raquest | 2024-11-21 | 5.2 Medium |
| An issue was discovered in Halvotec RaQuest 10.23.10801.0. The login page of the admin application is vulnerable to an Open Redirect attack allowing an attacker to redirect a user to a malicious site after authentication. The attacker needs to be on the same network to modify the victim's request on the wire. Fixed in Release 24.2020.20608.0 | ||||
| CVE-2019-19484 | 1 Centreon | 1 Centreon | 2024-11-21 | 6.1 Medium |
| Open redirect via parameter āpā in login.php in Centreon (19.04.4 and below) allows an attacker to craft a payload and execute unintended behavior. | ||||
| CVE-2019-18815 | 1 Popojicms | 1 Popojicms | 2024-11-21 | 6.1 Medium |
| PopojiCMS 2.0.1 allows refer= Open Redirection. | ||||
| CVE-2019-18781 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-21 | 6.1 Medium |
| An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site. | ||||
| CVE-2019-18451 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.1 Medium |
| An issue was discovered in GitLab Community and Enterprise Edition 10.7.4 through 12.4 in the InternalRedirect filtering feature. It has an Open Redirect. | ||||
| CVE-2019-17151 | 1 Tencent | 1 Wechat | 2024-11-21 | 5.4 Medium |
| This vulnerability allows remote attackers redirect users to an external resource on affected installations of Tencent WeChat Prior to 7.0.9. User interaction is required to exploit this vulnerability in that the target must be within a chat session together with the attacker. The specific flaw exists within the parsing of a users profile. The issue lies in the failure to properly validate a users name. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-9302. | ||||
| CVE-2019-16393 | 3 Canonical, Debian, Spip | 3 Ubuntu Linux, Debian Linux, Spip | 2024-11-21 | 6.1 Medium |
| SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character. | ||||