Total
1175 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-25640 | 1 Apache | 1 Dubbo | 2024-11-21 | 6.1 Medium |
| In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability. | ||||
| CVE-2021-25111 | 1 English Wordpress Admin Project | 1 English Wordpress Admin | 2024-11-21 | 6.1 Medium |
| The English WordPress Admin WordPress plugin before 1.5.2 does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue | ||||
| CVE-2021-25074 | 1 Webp Converter For Media Project | 1 Webp Converter For Media | 2024-11-21 | 6.1 Medium |
| The WebP Converter for Media WordPress plugin before 4.0.3 contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issue | ||||
| CVE-2021-25033 | 1 Noptin | 1 Noptin | 2024-11-21 | 6.1 Medium |
| The WordPress Newsletter Plugin WordPress plugin before 1.6.5 does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue | ||||
| CVE-2021-25028 | 1 Tri | 1 Event Tickets | 2024-11-21 | 6.1 Medium |
| The Event Tickets WordPress plugin before 5.2.2 does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue | ||||
| CVE-2021-24838 | 1 Bologer | 1 Anycomment | 2024-11-21 | 6.1 Medium |
| The AnyComment WordPress plugin before 0.3.5 has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature. | ||||
| CVE-2021-24406 | 1 Gvectors | 1 Wpforo Forum | 2024-11-21 | 6.1 Medium |
| The wpForo Forum WordPress plugin before 1.9.7 did not validate the redirect_to parameter in the login form of the forum, leading to an open redirect issue after a successful login. Such issue could allow an attacker to induce a user to use a login URL redirecting to a website under their control and being a replica of the legitimate one, asking them to re-enter their credentials (which will then in the attacker hands) | ||||
| CVE-2021-24358 | 1 Posimyth | 1 The Plus Addons For Elementor | 2024-11-21 | 6.1 Medium |
| The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.10 did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue. | ||||
| CVE-2021-24288 | 1 Acymailing | 1 Acymailing | 2024-11-21 | 6.1 Medium |
| When subscribing using AcyMailing, the 'redirect' parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim. | ||||
| CVE-2021-24210 | 1 Kiboit | 1 Phastpress | 2024-11-21 | 6.1 Medium |
| There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only go to whitelisted pages but it's possible to redirect the victim to any domain. | ||||
| CVE-2021-24165 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 6.1 Medium |
| In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place. | ||||
| CVE-2021-23888 | 1 Mcafee | 1 Epolicy Orchestrator | 2024-11-21 | 6.3 Medium |
| Unvalidated client-side URL redirect vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 10 could cause an authenticated ePO user to load an untrusted site in an ePO iframe which could steal information from the authenticated user. | ||||
| CVE-2021-23495 | 1 Karma Project | 1 Karma | 2024-11-21 | 5.4 Medium |
| The package karma before 6.3.16 are vulnerable to Open Redirect due to missing validation of the return_url query parameter. | ||||
| CVE-2021-23435 | 1 Thoughtbot | 1 Clearance | 2024-11-21 | 7.6 High |
| This affects the package clearance before 2.5.0. The vulnerability can be possible when users are able to set the value of session[:return_to]. If the value used for return_to contains multiple leading slashes (/////example.com) the user ends up being redirected to the external domain that comes after the slashes (http://example.com). | ||||
| CVE-2021-23401 | 1 Flask-user Project | 1 Flask-user | 2024-11-21 | 5.4 Medium |
| This affects all versions of package Flask-User. When using the make_safe_url function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as /////evil.com/path or \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False. | ||||
| CVE-2021-23393 | 1 Flask Unchained Project | 1 Flask Unchained | 2024-11-21 | 5.4 Medium |
| This affects the package Flask-Unchained before 0.9.0. When using the the _validate_redirect_url function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False. | ||||
| CVE-2021-23387 | 1 Trailing-slash Project | 1 Trailing-slash | 2024-11-21 | 5.4 Medium |
| The package trailing-slash before 2.0.1 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/). The vulnerable code is in index.js::createTrailing(), as the web server uses relative URLs instead of absolute URLs. | ||||
| CVE-2021-23385 | 1 Flask-security Project | 1 Flask-security | 2024-11-21 | 5.4 Medium |
| This affects all versions of package Flask-Security. When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False. **Note:** Flask-Security is not maintained anymore. | ||||
| CVE-2021-23384 | 1 Koa-remove-trailing-slashes Project | 1 Koa-remove-trailing-slashes | 2024-11-21 | 5.4 Medium |
| The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/). The vulnerable code is in index.js::removeTrailingSlashes(), as the web server uses relative URLs instead of absolute URLs. | ||||
| CVE-2021-23052 | 1 F5 | 1 Big-ip Access Policy Manager | 2024-11-21 | 6.1 Medium |
| On version 14.1.x before 14.1.4.4 and all versions of 13.1.x, an open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy. This vulnerability allows an unauthenticated malicious user to build an open redirect URI. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||