Total
1058 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16224 | 1 St Project | 1 St | 2019-10-09 | 5.8 MEDIUM | 6.1 MEDIUM |
| st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used. Mitigating factor: In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e"). | |||||
| CVE-2017-12344 | 1 Cisco | 1 Data Center Network Manager | 2019-10-09 | 5.8 MEDIUM | 6.1 MEDIUM |
| Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) Software could allow a remote attacker to inject arbitrary values into DCNM configuration parameters, redirect a user to a malicious website, inject malicious content into a DCNM client interface, or conduct a cross-site scripting (XSS) attack against a user of the affected software. Cisco Bug IDs: CSCvf40477, CSCvf63150, CSCvf68218, CSCvf68235, CSCvf68247. | |||||
| CVE-2019-15041 | 1 Jetbrains | 1 Youtrack | 2019-10-08 | 5.8 MEDIUM | 6.1 MEDIUM |
| JetBrains YouTrack versions before 2019.1.52545 allowed unbounded URL whitelisting because of Inclusion of Functionality from an Untrusted Control Sphere. | |||||
| CVE-2017-3528 | 1 Oracle | 1 Applications Framework | 2019-10-03 | 5.8 MEDIUM | 5.4 MEDIUM |
| Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (lists of values, datepicker, etc.)). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data. CVSS 3.0 Base Score 4.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N). | |||||
| CVE-2017-9062 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-10-03 | 5.0 MEDIUM | 8.6 HIGH |
| In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. | |||||
| CVE-2017-1156 | 1 Ibm | 1 Websphere Portal | 2019-10-03 | 6.8 MEDIUM | 8.8 HIGH |
| IBM WebSphere Portal 8.5 and 9.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force. ID: 122592 | |||||
| CVE-2017-1398 | 1 Ibm | 1 Websphere Commerce | 2019-09-30 | 5.8 MEDIUM | 6.1 MEDIUM |
| IBM WebSphere Commerce Enterprise, Professional, Express, and Developer 6.0, 7.0, and 8.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 127385. | |||||
| CVE-2019-14912 | 1 Prise | 1 Adas | 2019-09-23 | 5.8 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in PRiSE adAS 1.7.0. The OPENSSO module does not properly check the goto parameter, leading to an open redirect that leaks the session cookie. | |||||
| CVE-2019-6004 | 1 Fujixerox | 2 Apeosware Management Suite, Apeosware Management Suite 2 | 2019-09-16 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in ApeosWare Management Suite Ver.1.4.0.18 and earlier, and ApeosWare Management Suite 2 Ver.2.1.2.4 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2019-5978 | 1 Cybozu | 1 Garoon | 2019-09-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in Cybozu Garoon 4.0.0 to 4.10.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the application 'Scheduler'. | |||||
| CVE-2019-6009 | 1 Ss-proj | 1 Shirasagi | 2019-09-13 | 5.8 MEDIUM | 6.1 MEDIUM |
| Open redirect vulnerability in SHIRASAGI v1.7.0 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2019-15818 | 1 Webcraftic | 1 Simple 301 Redirects | 2019-09-05 | 5.8 MEDIUM | 6.1 MEDIUM |
| The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for WordPress has no requirement for authentication for action=bulk301export or action=bulk301clearlist. | |||||
| CVE-2019-15820 | 1 Login Or Logout Menu Item Project | 1 Login Or Logout Menu Item | 2019-09-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| The login-or-logout-menu-item plugin before 1.2.0 for WordPress has no requirement for lolmi_save_settings authentication. | |||||
| CVE-2019-15771 | 1 Components For Wp Bakery Page Builder Project | 1 Components For Wp Bakery Page Builder | 2019-09-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| The nd-shortcodes plugin before 6.0 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | |||||
| CVE-2019-15776 | 1 Webcraftic | 1 Simple 301 Redirects-addon-bulk Uploader | 2019-09-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for WordPress has no protection against 301 redirect rule injection via a CSV file. | |||||
| CVE-2019-15773 | 1 Travel Management Project | 1 Travel Management | 2019-09-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| The nd-travel plugin before 1.7 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | |||||
| CVE-2019-15772 | 1 Donations Project | 1 Donations | 2019-09-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| The nd-donations plugin before 1.4 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | |||||
| CVE-2019-15774 | 1 Booking Project | 1 Booking | 2019-09-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| The nd-booking plugin before 2.5 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | |||||
| CVE-2019-15775 | 1 Learning Courses Project | 1 Learning Courses | 2019-09-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| The nd-learning plugin before 4.8 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | |||||
| CVE-2019-10751 | 1 Httpie | 1 Httpie | 2019-09-02 | 5.8 MEDIUM | 8.8 HIGH |
| All versions of the HTTPie package prior to version 1.0.3 are vulnerable to Open Redirect that allows an attacker to write an arbitrary file with supplied filename and content to the current directory, by redirecting a request from HTTP to a crafted URL pointing to a server in his or hers control. | |||||