Common Weakness Enumeration

CWE-601

Allowed

URL Redirection to Untrusted Site ('Open Redirect')

Abstraction: Base · Status: Draft

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

2307 vulnerabilities reference this CWE, most recent first.

GHSA-G3CM-QG2V-2HJ5

Vulnerability from github – Published: 2024-02-05 23:23 – Updated: 2024-02-14 14:51
VLAI
Summary
pyLoad open redirect vulnerability due to improper validation of the is_safe_url function
Details

Summary

Open redirect vulnerability due to incorrect validation of input values when redirecting users after login.

Details

pyload is validating URLs via the get_redirect_url function when redirecting users at login. 301715649-f533db41-d0bd-44f7-8735-be1887fbd06c

The URL entered in the next variable goes through the is_safe_url function, where a lack of validation can redirect the user to an arbitrary domain. 301715667-2819b1d3-8a14-42f4-89c8-3d2fa84fc309

The documentation in the urllib library shows that improper URLs are recognized as relative paths when using the urlparse function. (https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlparse)

For example, When an unusual URL like https:///example.com is entered, urlparse interprets it as a relative path, but in the actual request it is converted to https://example.com due to url normalization.

PoC

  1. In the next variable, insert the URL to which you want to redirect the user. 301715949-bb1451eb-5e84-451d-83b4-5c3e204d1df7

  2. Check that it is possible to bypass url validation and redirect users to an arbitrary url. 301715824-3de6584a-878d-4ec4-a3d5-a34d11c6c0ac 301716107-ba5ab7b9-7aa8-4b7a-8924-eba82442b4c3

Impact

An attacker can use this vulnerability to redirect users to malicious websites, which can be used for phishing and similar attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0b3.dev79"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24808"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-05T23:23:22Z",
    "nvd_published_at": "2024-02-06T04:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nOpen redirect vulnerability due to incorrect validation of input values when redirecting users after login.\n\n### Details\npyload is validating URLs via the `get_redirect_url` function when redirecting users at login.\n![301715649-f533db41-d0bd-44f7-8735-be1887fbd06c](https://github.com/pyload/pyload/assets/114328108/7fbec2ed-05ed-46e6-847f-05132cf3f136)\n\n\nThe URL entered in the `next` variable goes through the `is_safe_url` function, where a lack of validation can redirect the user to an arbitrary domain.\n![301715667-2819b1d3-8a14-42f4-89c8-3d2fa84fc309](https://github.com/pyload/pyload/assets/114328108/613484f3-8097-4871-887d-8fa5eec817cc)\n\n\nThe documentation in the urllib library shows that improper URLs are recognized as relative paths when using the `urlparse` function. (https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlparse)\n\nFor example, When an unusual URL like `https:///example.com` is entered, `urlparse` interprets it as a relative path, but in the actual request it is converted to `https://example.com` due to url normalization.\n\n### PoC\n1. In the next variable, insert the URL to which you want to redirect the user.\n![301715949-bb1451eb-5e84-451d-83b4-5c3e204d1df7](https://github.com/pyload/pyload/assets/114328108/6fe639ea-1f85-4715-bf6c-c9c8c4ee9c94)\n\n\n\n2. Check that it is possible to bypass url validation and redirect users to an arbitrary url.\n![301715824-3de6584a-878d-4ec4-a3d5-a34d11c6c0ac](https://github.com/pyload/pyload/assets/114328108/902b3244-a4ef-4f8e-8319-c4b92764f15f)\n![301716107-ba5ab7b9-7aa8-4b7a-8924-eba82442b4c3](https://github.com/pyload/pyload/assets/114328108/35191d7b-50b9-4a46-8319-ebdebec20b41)\n\n\n\n### Impact\nAn attacker can use this vulnerability to redirect users to malicious websites, which can be used for phishing and similar attacks.\n",
  "id": "GHSA-g3cm-qg2v-2hj5",
  "modified": "2024-02-14T14:51:14Z",
  "published": "2024-02-05T23:23:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-g3cm-qg2v-2hj5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24808"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/commit/fe94451dcc2be90b3889e2fd9d07b483c8a6dccd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pyLoad open redirect vulnerability due to improper validation of the is_safe_url function"
}

GHSA-G45Q-XH8V-2XR4

Vulnerability from github – Published: 2022-05-24 17:20 – Updated: 2022-11-16 12:00
VLAI
Details

An issue was discovered in WSO2 Identity Server through 5.10.0 and WSO2 IS as Key Manager through 5.10.0. An open redirect exists.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-14446"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-18T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in WSO2 Identity Server through 5.10.0 and WSO2 IS as Key Manager through 5.10.0. An open redirect exists.",
  "id": "GHSA-g45q-xh8v-2xr4",
  "modified": "2022-11-16T12:00:19Z",
  "published": "2022-05-24T17:20:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14446"
    },
    {
      "type": "WEB",
      "url": "https://cybersecurityworks.com/zerodays/cve-2020-14446-wso2.html"
    },
    {
      "type": "WEB",
      "url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0713"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G4C2-GHFG-G5RH

Vulnerability from github – Published: 2022-01-28 23:10 – Updated: 2024-10-21 20:59
VLAI
Summary
Cross-site Scripting and Open Redirect in Products.ATContentTypes
Details

Impact

Plone is vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscreen page in a cache, for example in Varnish. The technique is known as cache poisoning. Any later visitor can get redirected when clicking on a link on this page. Usually only anonymous users are affected, but this depends on your cache settings.

Patches

A new version 3.0.6 of Products.ATContentTypes has been released with a fix. This version works on Plone 5.2 (Python 2 only) and will be included in Plone 5.2.7.

Note that the Products.CMFPlone package has the same problem in the 4.3 series. plone.app.contenttypes has the same problem in all versions, see advisory. For all unpatched versions of the three packages, you can use the following workaround.

Workaround

Make sure the image_view_fullscreen page is not stored in the cache. In Plone:

  • Login as Manager and go to Site Setup.
  • Go to the 'Caching' control panel. If this does not exist, or 'Enable caching' is not checked, you should normally not be vulnerable.
  • Click on the tab 'Caching operations'.
  • Under 'Legacy template mappings' locate the ruleset 'Content item view'.
  • From the last column ('Templates') remove 'image_view_fullscreen'.
  • Click on Save.

Reporter

This vulnerability was responsibly disclosed to the Plone Security Team by Gustav Hansen, F-Secure Consulting. Thank you!

For more information

If you have any questions or comments about this advisory, email us at security@plone.org This is also the correct address to use when you want to report a possible vulnerability. See our security report policy.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Products.ATContentTypes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-28T22:15:57Z",
    "nvd_published_at": "2022-01-28T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nPlone is vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscreen page in a cache, for example in Varnish.\nThe technique is known as cache poisoning.\nAny later visitor can get redirected when clicking on a link on this page.\nUsually only anonymous users are affected, but this depends on your cache settings.\n\n### Patches\nA new version 3.0.6 of Products.ATContentTypes has been released with a fix.\nThis version works on Plone 5.2 (Python 2 only) and will be included in Plone 5.2.7.\n\nNote that the Products.CMFPlone package has the same problem in the 4.3 series.\n`plone.app.contenttypes` has the same problem in all versions, see [advisory](https://github.com/plone/plone.app.contenttypes/security/advisories/GHSA-f7qw-5fgj-247x).\nFor all unpatched versions of the three packages, you can use the following workaround.\n\n### Workaround\nMake sure the image_view_fullscreen page is not stored in the cache.\nIn Plone:\n\n* Login as Manager and go to Site Setup.\n* Go to the \u0027Caching\u0027 control panel. If this does not exist, or \u0027Enable caching\u0027 is not checked, you should normally not be vulnerable.\n* Click on the tab \u0027Caching operations\u0027.\n* Under \u0027Legacy template mappings\u0027 locate the ruleset \u0027Content item view\u0027.\n* From the last column (\u0027Templates\u0027)  remove \u0027image_view_fullscreen\u0027.\n* Click on Save.\n\n### Reporter\nThis vulnerability was responsibly disclosed to the Plone Security Team by Gustav Hansen, F-Secure Consulting. Thank you!\n\n### For more information\nIf you have any questions or comments about this advisory, email us at [security@plone.org](mailto:security@plone.org)\nThis is also the correct address to use when you want to report a possible vulnerability.\nSee [our security report policy](https://plone.org/security/report).",
  "id": "GHSA-g4c2-ghfg-g5rh",
  "modified": "2024-10-21T20:59:14Z",
  "published": "2022-01-28T23:10:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/plone/Products.ATContentTypes/security/advisories/GHSA-g4c2-ghfg-g5rh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23599"
    },
    {
      "type": "WEB",
      "url": "https://github.com/plone/Products.ATContentTypes/commit/fc793f88f35a15a68b52e4abed77af0da5fdbab8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/plone/Products.ATContentTypes"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/products-atcontenttypes/PYSEC-2022-21.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Cross-site Scripting and Open Redirect in Products.ATContentTypes"
}

GHSA-G4GC-RH26-M3P5

Vulnerability from github – Published: 2024-09-09 21:31 – Updated: 2024-09-09 22:34
VLAI
Summary
Keycloak Open Redirect vulnerability
Details

An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks.

Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-7260"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-09T22:34:51Z",
    "nvd_published_at": "2024-09-09T19:15:14Z",
    "severity": "MODERATE"
  },
  "details": "An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the `referrer` and `referrer_uri` parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks.\n\nOnce a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the `redirect_uri` using URL encoding, to hide the text of the actual malicious website domain.",
  "id": "GHSA-g4gc-rh26-m3p5",
  "modified": "2024-09-09T22:34:51Z",
  "published": "2024-09-09T21:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7260"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6502"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6503"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-7260"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2301875"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Keycloak Open Redirect vulnerability"
}

GHSA-G4RF-PC26-6HMR

Vulnerability from github – Published: 2021-03-23 15:26 – Updated: 2024-10-08 12:43
VLAI
Summary
OMERO webclient does not validate URL redirects on login or switching group.
Details

Background

OMERO.web supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting.

Impact

OMERO.web before 5.9.0

Patches

5.9.0

Workarounds

No workaround

References

For more information

If you have any questions or comments about this advisory: * Open an issue in omero-web * Email us at security

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "omero-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21377"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-23T15:25:55Z",
    "nvd_published_at": "2021-03-23T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Background\nOMERO.web supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the ``omero.web.redirect_allowed_hosts`` setting.\n\n### Impact\nOMERO.web before 5.9.0\n\n### Patches\n5.9.0\n\n### Workarounds\nNo workaround\n\n### References\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [omero-web](https://github.com/ome/omero-web)\n* Email us at [security](mailto:security@openmicroscopy.org.uk)",
  "id": "GHSA-g4rf-pc26-6hmr",
  "modified": "2024-10-08T12:43:19Z",
  "published": "2021-03-23T15:26:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ome/omero-web/security/advisories/GHSA-g4rf-pc26-6hmr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21377"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ome/omero-web"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/omero-web/PYSEC-2021-32.yaml"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/omero-web"
    },
    {
      "type": "WEB",
      "url": "https://www.openmicroscopy.org/security/advisories/2021-SV2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OMERO webclient does not validate URL redirects on login or switching group."
}

GHSA-G4V8-Q2MR-M933

Vulnerability from github – Published: 2026-06-21 21:31 – Updated: 2026-06-22 18:34
VLAI
Details

A vulnerability was detected in lemonldap-ng up to 2.23.0. Impacted is an unknown function in the library lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm of the component SAML Common Domain Cookie Endpoint. Performing a manipulation of the argument url results in open redirect. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-21T19:16:23Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was detected in lemonldap-ng up to 2.23.0. Impacted is an unknown function in the library lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm of the component SAML Common Domain Cookie Endpoint. Performing a manipulation of the argument url results in open redirect. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-g4v8-q2mr-m933",
  "modified": "2026-06-22T18:34:11Z",
  "published": "2026-06-21T21:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12804"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/979"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/work_items/3619"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-12804"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/836105"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/372598"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/372598/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G547-2JPP-GW38

Vulnerability from github – Published: 2022-05-17 02:41 – Updated: 2022-05-17 02:41
VLAI
Details

Sleipnir 4 Black Edition for Mac 4.5.3 and earlier and Sleipnir 4 for Mac 4.5.3 and earlier (Mac App Store) may allow a remote attacker to spoof the URL display via a specially crafted webpage.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-7831"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-09T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Sleipnir 4 Black Edition for Mac 4.5.3 and earlier and Sleipnir 4 for Mac 4.5.3 and earlier (Mac App Store) may allow a remote attacker to spoof the URL display via a specially crafted webpage.",
  "id": "GHSA-g547-2jpp-gw38",
  "modified": "2022-05-17T02:41:02Z",
  "published": "2022-05-17T02:41:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7831"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN28151745/index.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94830"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G553-9232-WH7F

Vulnerability from github – Published: 2023-07-19 03:30 – Updated: 2024-04-04 06:16
VLAI
Details

IBM Security Verify Access 10.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 252186.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-30433"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-19T01:15:09Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Verify Access 10.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.  IBM X-Force ID:  252186.",
  "id": "GHSA-g553-9232-wh7f",
  "modified": "2024-04-04T06:16:37Z",
  "published": "2023-07-19T03:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30433"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/252186"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7012613"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5QG-MM6J-8CM3

Vulnerability from github – Published: 2023-12-14 15:30 – Updated: 2024-02-15 12:30
VLAI
Details

The package authelia-bhf included in Beckhoffs TwinCAT/BSD is prone to an open redirect that allows a remote unprivileged attacker to redirect a user to another site. This may have limited impact to integrity and does solely affect anthelia-bhf the Beckhoff fork of authelia.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6545"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-14T14:15:45Z",
    "severity": "MODERATE"
  },
  "details": "The package authelia-bhf included in Beckhoffs TwinCAT/BSD is prone to an open redirect that allows a remote unprivileged attacker to redirect a user to another site. This may have limited impact to integrity and does solely affect anthelia-bhf the Beckhoff fork of authelia.",
  "id": "GHSA-g5qg-mm6j-8cm3",
  "modified": "2024-02-15T12:30:50Z",
  "published": "2023-12-14T15:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6545"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2023-067"
    },
    {
      "type": "WEB",
      "url": "https://download.beckhoff.com/download/Document/product-security/Advisories/advisory-2023-001.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G5QX-H5F3-MP2F

Vulnerability from github – Published: 2026-06-19 21:15 – Updated: 2026-06-19 21:15
VLAI
Summary
TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover
Details

TinaCMS registers window message listeners — the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer — that act on event.data without verifying event.origin or event.source, and post messages using non-specific target origins. A page the victim visits (or a window in an opener/iframe relationship with a Tina admin) can forge messages to drive the editor, inject preview content, or observe/forge the OAuth popup channel to take over an authenticated editing session.

Fixed in #7056 by allow-listing trusted origins and verifying event.source (isFromAdmin, isFromTrustedPreviewOrigin), and by posting only to explicit target origins (never "*").

Note: the rich-text URL-sanitization issue previously bundled here has been split into its own advisory (GHSA-2vcc-5v34-9jc8) so each vulnerability can receive a distinct CVE.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "tinacms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@tinacms/app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55660"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346",
      "CWE-601",
      "CWE-79",
      "CWE-940"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:15:29Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "TinaCMS registers window message listeners \u2014 the useTina overlay handler, the OAuth authentication popup handler, and the admin\u2194preview iframe GraphQL reducer \u2014 that act on event.data without verifying event.origin or event.source, and post messages using non-specific target origins. A page the victim visits (or a window in an opener/iframe relationship with a Tina admin) can forge messages to drive the editor, inject preview content, or observe/forge the OAuth popup channel to take over an authenticated editing session.\n\nFixed in [#7056](https://github.com/tinacms/tinacms/pull/7056) by allow-listing trusted origins and verifying event.source (isFromAdmin, isFromTrustedPreviewOrigin), and by posting only to explicit target origins (never \"*\").\n\nNote: the rich-text URL-sanitization issue previously bundled here has been split into its own advisory (GHSA-2vcc-5v34-9jc8) so each vulnerability can receive a distinct CVE.",
  "id": "GHSA-g5qx-h5f3-mp2f",
  "modified": "2026-06-19T21:15:29Z",
  "published": "2026-06-19T21:15:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-g5qx-h5f3-mp2f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tinacms/tinacms/pull/7056"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tinacms/tinacms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover"
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • Use a list of approved URLs or domains to be used for redirection.
Mitigation
Architecture and Design

Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.

Mitigation MIT-21.2
Architecture and Design

Strategy: Enforcement by Conversion

  • When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
  • For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation
Architecture and Design

Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).

Mitigation MIT-6
Architecture and Design Implementation

Strategy: Attack Surface Reduction

  • Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
  • Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-178: Cross-Site Flashing

An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.