Total
1154 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-8945 | 1 Hp | 1 Icewall Federation Agent | 2024-11-21 | N/A |
| A Remote Unauthorized Disclosure of Information vulnerability in HPE IceWall Federation Agent version 3.0 was found. | ||||
| CVE-2017-7153 | 3 Apple, Canonical, Microsoft | 8 Icloud, Iphone Os, Itunes and 5 more | 2024-11-21 | N/A |
| An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to spoof user-interface information (about whether the entire content is derived from a valid TLS session) via a crafted web site that sends a 401 Unauthorized redirect. | ||||
| CVE-2017-6932 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2024-11-21 | N/A |
| Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site. | ||||
| CVE-2017-5871 | 1 Odoo | 1 Odoo | 2024-11-21 | N/A |
| Odoo Version <= 8.0-20160726 and Version 9 is affected by: CWE-601: Open redirection. The impact is: obtain sensitive information (remote). | ||||
| CVE-2017-5389 | 1 Mozilla | 1 Firefox | 2024-11-21 | N/A |
| WebExtensions could use the "mozAddonManager" API by modifying the CSP headers on sites with the appropriate permissions and then using host requests to redirect script loads to a malicious site. This allows a malicious extension to then install additional extensions without explicit user permission. This vulnerability affects Firefox < 51. | ||||
| CVE-2017-2166 | 1 Groupsession | 1 Groupsession | 2024-11-21 | N/A |
| Open redirect vulnerability in GroupSession version 4.7.0 and earlier allows an attacker to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | ||||
| CVE-2017-1748 | 1 Ibm | 1 Connections | 2024-11-21 | N/A |
| IBM Connections 5.0, 5.5, and 6.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 135521. | ||||
| CVE-2017-1668 | 1 Ibm | 1 Security Key Lifecycle Manager | 2024-11-21 | N/A |
| IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 133562. | ||||
| CVE-2017-1534 | 1 Ibm | 6 Security Access Manager Appliance, Security Access Manager Firmware, Security Access Manager For Mobile and 3 more | 2024-11-21 | N/A |
| IBM Security Access Manager Appliance 8.0.0 and 9.0.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 130676. | ||||
| CVE-2017-18897 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 6.1 Medium |
| An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection. | ||||
| CVE-2017-18891 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 6.1 Medium |
| An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link. | ||||
| CVE-2017-18441 | 1 Cpanel | 1 Cpanel | 2024-11-21 | N/A |
| cPanel before 64.0.21 allows demo accounts to redirect web traffic (SEC-245). | ||||
| CVE-2017-18414 | 1 Cpanel | 1 Cpanel | 2024-11-21 | N/A |
| cPanel before 67.9999.103 allows an open redirect in /unprotected/redirect.html (SEC-300). | ||||
| CVE-2017-18262 | 1 Blackboard | 1 Blackboard Learn | 2024-11-21 | N/A |
| Blackboard Learn (Since at least 17th of October 2017) has allowed Unvalidated Redirects on any signed-in user through its endpoints for handling Shibboleth logins, as demonstrated by a webapps/bb-auth-provider-shibboleth-BBLEARN/execute/shibbolethLogin?returnUrl= URI. | ||||
| CVE-2017-18178 | 1 Progress | 1 Sitefinity | 2024-11-21 | N/A |
| Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target, if the target is specified using a certain %40 syntax. This is fixed in 10.1. | ||||
| CVE-2017-18109 | 1 Atlassian | 1 Crowd | 2024-11-21 | N/A |
| The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect. | ||||
| CVE-2017-16652 | 2 Debian, Sensiolabs | 2 Debian Linux, Symfony | 2024-11-21 | N/A |
| An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks. | ||||
| CVE-2017-16224 | 1 St Project | 1 St | 2024-11-21 | N/A |
| st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used. Mitigating factor: In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e"). | ||||
| CVE-2017-15419 | 3 Debian, Google, Redhat | 6 Debian Linux, Chrome, Enterprise Linux Desktop and 3 more | 2024-11-21 | N/A |
| Insufficient policy enforcement in Resource Timing API in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to infer browsing history by triggering a leaked cross-origin URL via a crafted HTML page. | ||||
| CVE-2017-14802 | 1 Netiq | 1 Access Manager | 2024-11-21 | N/A |
| Novell Access Manager Admin Console and IDP servers before 4.3.3 have a URL that could be used by remote attackers to trigger unvalidated redirects to third party sites. | ||||