Vulnerabilities (CVE)

Filtered by CWE-601
Total 607 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-20733 1 Asken 1 Asken 2022-05-16 5.8 MEDIUM 6.1 MEDIUM
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
CVE-2022-1209 1 Ultimatemember 1 Ultimate Member 2022-05-16 3.5 LOW 5.4 MEDIUM
The Ultimate Member plugin for WordPress is vulnerable to open redirects due to insufficient validation on supplied URLs in the social fields of the Profile Page, which makes it possible for attackers to redirect unsuspecting victims in versions up to, and including, 2.3.1 granted the victim clicks on a social icon on a user's profile page.
CVE-2021-31879 3 Broadcom, Gnu, Netapp 8 Brocade Fabric Operating System Firmware, Wget, 500f and 5 more 2022-05-13 5.8 MEDIUM 6.1 MEDIUM
GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.
CVE-2021-44054 1 Qnap 3 Qts, Quts Hero, Qutscloud 2022-05-13 5.8 MEDIUM 6.1 MEDIUM
An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS build 20220324 and later QTS build 20220329 and later
CVE-2022-27461 1 Nopcommerce 1 Nopcommerce 2022-05-12 5.8 MEDIUM 6.1 MEDIUM
In nopCommerce 4.50.1, an open redirect vulnerability can be triggered by luring a user to authenticate to a nopCommerce page by clicking on a crafted link.
CVE-2022-20794 1 Cisco 2 Roomos, Telepresence Collaboration Endpoint 2022-05-11 4.3 MEDIUM 4.7 MEDIUM
Multiple vulnerabilities in the web engine of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow a remote attacker to cause a denial of service (DoS) condition, view sensitive data on an affected device, or redirect users to an attacker-controlled destination. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2021-46379 1 Dlink 2 Dir-850l, Dir-850l Firmware 2022-05-11 5.8 MEDIUM 6.1 MEDIUM
DLink DIR850 ET850-1.08TRb03 is affected by an incorrect access control vulnerability through URL redirection to untrusted site.
CVE-2021-32786 3 Apache, Fedoraproject, Zmartzone 3 Http Server, Fedora, Mod Auth Openidc 2022-05-10 5.8 MEDIUM 6.1 MEDIUM
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG). As a workaround, this vulnerability can be mitigated by configuring `mod_auth_openidc` to only allow redirection whose destination matches a given regular expression.
CVE-2022-26326 1 Microfocus 1 Netiq Access Manager 2022-05-09 5.8 MEDIUM 6.1 MEDIUM
Potential open redirection vulnerability when URL is crafted in specific format in NetIQ Access Manager prior to 5.0.2
CVE-2022-24887 1 Nextcloud 1 Talk 2022-05-09 5.8 MEDIUM 6.1 MEDIUM
Nextcloud Talk is a video and audio conferencing app for Nextcloud, a self-hosted productivity platform. Prior to versions 11.3.4, 12.2.2, and 13.0.0, when sharing a Deck card in conversation, the metaData can be manipulated so users can be tricked into opening arbitrary URLs. This issue is fixed in versions 11.3.4, 12.2.2, and 13.0.0. There are currently no known workarounds.
CVE-2021-24838 1 Bologer 1 Anycomment 2022-05-09 5.8 MEDIUM 6.1 MEDIUM
The AnyComment WordPress plugin before 0.3.5 has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature.
CVE-2021-39191 2 Fedoraproject, Zmartzone 2 Fedora, Mod Auth Openidc 2022-05-07 5.8 MEDIUM 6.1 MEDIUM
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to, the 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the `target_link_uri` parameter. A patch in version made it so that the `OIDCRedirectURLsAllowed` setting must be applied to the `target_link_uri` parameter. There are no known workarounds aside from upgrading to a patched version.
CVE-2021-25111 1 English Wordpress Admin Project 1 English Wordpress Admin 2022-05-03 5.8 MEDIUM 6.1 MEDIUM
The English WordPress Admin WordPress plugin before 1.5.2 does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue
CVE-2020-14118 1 Mi 1 Mi App Store 2022-05-03 5.8 MEDIUM 6.1 MEDIUM
An intent redirection vulnerability in the Mi App Store product. This vulnerability is caused by the Mi App Store does not verify the validity of the incoming data, can cause the app store to automatically download and install apps.
CVE-2022-24858 1 Nextauth.js 1 Next-auth 2022-04-29 5.8 MEDIUM 6.1 MEDIUM
next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.
CVE-2022-1254 1 Mcafee 1 Web Gateway 2022-04-29 5.8 MEDIUM 6.1 MEDIUM
A URL redirection vulnerability in Skyhigh SWG in main releases 10.x prior to 10.2.9, 9.x prior to 9.2.20, 8.x prior to 8.2.27, and 7.x prior to, and controlled release 11.x prior to 11.1.3 allows a remote attacker to redirect a user to a malicious website controlled by the attacker. This is possible because SWG incorrectly creates a HTTP redirect response when a user clicks a carefully constructed URL. Following the redirect response, the new request is still filtered by the SWG policy.
CVE-2020-13565 2 Open-emr, Phpgacl Project 2 Openemr, Phpgacl 2022-04-28 5.8 MEDIUM 6.1 MEDIUM
An open redirect vulnerability exists in the return_page redirection functionality of phpGACL 3.3.7, OpenEMR 5.0.2 and OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can redirect users to an arbitrary URL. An attacker can provide a crafted URL to trigger this vulnerability.
CVE-2022-1019 1 Automatedlogic 1 Webctrl Server 2022-04-27 5.8 MEDIUM 6.1 MEDIUM
Automated Logic's WebCtrl Server Version 6.1 'Help' index pages are vulnerable to open redirection. The vulnerability allows an attacker to send a maliciously crafted URL which could result in redirecting the user to a malicious webpage or downloading a malicious file.
CVE-2022-0645 1 Posthog 1 Posthog 2022-04-27 5.8 MEDIUM 6.1 MEDIUM
Open redirect vulnerability via endpoint authorize_and_redirect/?redirect= in GitHub repository posthog/posthog prior to 1.34.1.
CVE-2020-1927 8 Apache, Broadcom, Canonical and 5 more 14 Http Server, Brocade Fabric Operating System, Ubuntu Linux and 11 more 2022-04-26 5.8 MEDIUM 6.1 MEDIUM
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.