Total
1232 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-6552 | 1 Java-aodeng | 1 Hope-boot | 2025-07-12 | 4.3 Medium |
| A vulnerability was found in java-aodeng Hope-Boot 1.0.0. It has been classified as problematic. Affected is the function doLogin of the file /src/main/java/com/hope/controller/WebController.java of the component Login. The manipulation of the argument redirect_url leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-25198 | 1 Mailcow | 1 Mailcow Dockerized | 2025-07-12 | 7.1 High |
| mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. Version 2025-01a contains a patch. As a workaround, deactivate the password reset functionality by clearing `Notification email sender` and `Notification email subject` under System -> Configuration -> Options -> Password Settings. | ||||
| CVE-2024-9387 | 1 Gitlab | 1 Gitlab | 2025-07-11 | 6.4 Medium |
| An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint. | ||||
| CVE-2024-11274 | 1 Gitlab | 1 Gitlab | 2025-07-11 | 8.7 High |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers in k8s proxy response could lead to session data exfiltration. | ||||
| CVE-2024-22854 | 1 Darktrace | 1 Threat Visualizer | 2025-07-11 | 6.1 Medium |
| DOM-based HTML injection vulnerability in the main page of Darktrace Threat Visualizer version 6.1.27 (bundle version 61050) and before has been identified. A URL, crafted by a remote attacker and visited by an authenticated user, allows open redirect and potential credential stealing using an injected HTML form. | ||||
| CVE-2024-37656 | 1 Sir | 1 Gnuboard | 2025-07-10 | 6.1 Medium |
| An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote attacker to obtain sensitive information via the insufficient URL parameter verification in bbs/logout.php. | ||||
| CVE-2024-37657 | 1 Sir | 1 Gnuboard | 2025-07-10 | 6.1 Medium |
| An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote attacker to obtain sensitive information via thebbs/login.php component. | ||||
| CVE-2024-37658 | 1 Sir | 1 Gnuboard | 2025-07-10 | 6.1 Medium |
| An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote attacker to obtain sensitive information via the bbs/member_confirm.php. | ||||
| CVE-2024-38211 | 1 Microsoft | 1 Dynamics 365 | 2025-07-10 | 8.2 High |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | ||||
| CVE-2025-6701 | 1 Xuxueli | 1 Xxl-sso | 2025-07-10 | 3.5 Low |
| A vulnerability, which was classified as problematic, has been found in Xuxueli xxl-sso 1.1.0. This issue affects some unknown processing of the file /xxl-sso-server/doLogin. The manipulation of the argument redirect_url leads to open redirect. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-42981 | 2025-07-08 | 6.1 Medium | ||
| Due to an open redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft a URL link embedding a malicious script at a location not properly sanitized. When a victim clicks on this link, the script executes within the victim's browser, redirecting them to a site controlled by the attacker. This allows the attacker to access and/or modify restricted information related to the web client. While the vulnerability poses no impact on data availability, it presents a considerable risk to confidentiality and integrity. | ||||
| CVE-2025-42985 | 2025-07-08 | 6.1 Medium | ||
| Due to insufficient sanitization in the SAP BusinessObjects Content Administrator Workbench, attackers could craft malicious URLs and execute scripts in a victim�s browser. This could potentially lead to the exposure or modification of web client data, resulting in low impact on confidentiality and integrity, with no impact on application availability. | ||||
| CVE-2025-24381 | 1 Dell | 1 Unity Operating Environment | 2025-07-08 | 8.8 High |
| Dell Unity, version(s) 5.4 and prior, contain(s) an URL Redirection to Untrusted Site ('Open Redirect') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to a targeted application user being redirected to arbitrary web URLs. The vulnerability could be leveraged by attackers to conduct phishing attacks that cause users to divulge sensitive information. Exploitation may allow for session theft. | ||||
| CVE-2024-43536 | 1 Microsoft | 9 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 6 more | 2025-07-08 | 6.8 Medium |
| Windows Mobile Broadband Driver Remote Code Execution Vulnerability | ||||
| CVE-2024-43543 | 1 Microsoft | 9 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 6 more | 2025-07-08 | 6.8 Medium |
| Windows Mobile Broadband Driver Remote Code Execution Vulnerability | ||||
| CVE-2024-46886 | 2025-07-08 | 4.7 Medium | ||
| The web server of affected devices does not properly validate input that is used for a user redirection. This could allow an attacker to make the server redirect the legitimate user to an attacker-chosen URL. For a successful exploit, the legitimate user must actively click on an attacker-crafted link. | ||||
| CVE-2024-54957 | 1 Nagios | 1 Nagios Xi | 2025-07-07 | 6.1 Medium |
| Nagios XI 2024R1.2.2 is vulnerable to an open redirect flaw on the Tools page, exploitable by users with read-only permissions. This vulnerability allows an attacker to craft a malicious link that redirects users to an arbitrary external URL without their consent. | ||||
| CVE-2025-25012 | 1 Elastic | 1 Kibana | 2025-07-06 | 4.3 Medium |
| URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL. | ||||
| CVE-2025-6428 | 2 Google, Mozilla | 2 Android, Firefox | 2025-07-03 | 4.3 Medium |
| When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140. | ||||
| CVE-2025-50182 | 1 Urllib3 | 1 Urllib3 | 2025-06-30 | 5.3 Medium |
| urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0. | ||||