CWE-601— URL Redirection to Untrusted Site (Open Redirect)
1,356 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-601page 10 of 28
- CVE-2021-33707MEDIUMCVSS 6.1EG 6.12021-08-10
SAP NetWeaver Knowledge Management allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via a URL stored in a component. This could enable the attacker to compromise the user's confidentiality and in…
- CVE-2021-34254MEDIUMCVSS 6.1EG 6.12021-06-28
Umbraco CMS before 7.15.7 is vulnerable to Open Redirection due to insufficient url sanitization on booting.aspx.
- CVE-2021-34763MEDIUMCVSS 4.8EG 4.82021-10-27
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an attacker to execute a cross-site scripting (XSS) attack or an open redirect attack. For more information abou…
- CVE-2021-34764MEDIUMCVSS 4.8EG 4.82021-10-27
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an attacker to execute a cross-site scripting (XSS) attack or an open redirect attack. For more information abou…
- CVE-2021-34772MEDIUMCVSS 4.7EG 4.72021-10-06
A vulnerability in the web-based management interface of Cisco Orbital could allow an unauthenticated, remote attacker to redirect users to a malicious webpage. This vulnerability is due to improper validation of URL paths in the web-based…
- CVE-2021-34807MEDIUMCVSS 6.1EG 6.12021-07-02
An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through 9.0. To exploit the vulnerability, an attacker would need to have obtained a valid zimbra auth token or a valid preauth token. Once the tok…
- CVE-2021-35037MEDIUMCVSS 6.1EG 6.12021-07-12
Jamf Pro before 10.30.1 allows for an unvalidated URL redirect vulnerability affecting Jamf Pro customers who host their environments on-premises. An attacker may craft a URL that appears to be for a customer's Jamf Pro instance, but when …
- CVE-2021-35205MEDIUMCVSS 5.4EG 5.42021-09-30
NETSCOUT Systems nGeniusONE version 6.3.0 build 1196 allows URL redirection in redirector.
- CVE-2021-35206MEDIUMCVSS 6.1EG 6.12021-06-22
Gitpod before 0.6.0 allows unvalidated redirects.
- CVE-2021-35209CRITICALCVSS 9.8EG 9.82021-07-02
An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16. The value of the X-Host header overwrites the value of the Host header in proxied re…
- CVE-2021-35966MEDIUMCVSS 6.1EG 6.12021-07-19
The specific function of the Orca HCM digital learning platform does not filter input parameters properly, which causing the URL can be redirected to any website. Remote attackers can use the vulnerability to execute phishing attacks.
- CVE-2021-36191MEDIUMCVSS 4.1EG 4.12021-12-08
A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to use the device as proxy via crafted GET parameters in requests to error handlers
- CVE-2021-36332MEDIUMCVSS 5.4EG 5.42021-11-23
Dell EMC CloudLink 7.1 and all prior versions contain a HTML and Javascript Injection Vulnerability. A remote low privileged attacker, may potentially exploit this vulnerability, directing end user to arbitrary and potentially malicious we…
- CVE-2021-3639MEDIUMCVSS 6.1EG 6.12022-08-22
A flaw was found in mod_auth_mellon where it does not sanitize logout URLs properly. This issue could be used by an attacker to facilitate phishing attacks by tricking users into visiting a trusted web application URL that redirects to an …
- CVE-2021-3647MEDIUMCVSS 6.1EG 6.12021-07-16
URI.js is vulnerable to URL Redirection to Untrusted Site
- CVE-2021-3654MEDIUMCVSS 6.1EG 9.02022-03-02
A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL.
- CVE-2021-36580MEDIUMCVSS 6.1EG 6.12023-07-27
Open Redirect vulnerability exists in IceWarp MailServer IceWarp Server Deep Castle 2 Update 1 (13.0.1.2) via the referer parameter.
- CVE-2021-3664MEDIUMCVSS 5.3EG 5.32021-07-26
url-parse is vulnerable to URL Redirection to Untrusted Site
- CVE-2021-37352MEDIUMCVSS 6.1EG 6.12021-08-13
An open redirect vulnerability exists in Nagios XI before version 5.8.5 that could lead to spoofing. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL and convince the user to click the link.
- CVE-2021-37699MEDIUMCVSS 6.9EG 6.92021-08-12
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an ex…
- CVE-2021-37746MEDIUMCVSS 6.1EG 6.12021-07-30
textview_uri_security_check in textview.c in Claws Mail before 3.18.0, and Sylpheed through 3.7.0, does not have sufficient link checks before accepting a click.
- CVE-2021-38000MEDIUMCVSS 6.1EG 9.0⚠ KEV2021-11-23
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page.
- CVE-2021-38123MEDIUMCVSS 6.1EG 6.12021-09-07
Open Redirect vulnerability in Micro Focus Network Automation, affecting Network Automation versions 10.4x, 10.5x, 2018.05, 2018.11, 2019.05, 2020.02, 2020.08, 2020.11, 2021.05. The vulnerability could allow redirect users to malicious web…
- CVE-2021-3829MEDIUMCVSS 6.1EG 6.12021-12-10
openwhyd is vulnerable to URL Redirection to Untrusted Site
- CVE-2021-38343MEDIUMCVSS 4.7EG 6.12021-08-30
The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to an Open Redirect via the `page` POST parameter in the `npBulkActions`, `npBulkEdit`, `npListingSort`, and `npCategoryFilter` `admin_post` actions.
- CVE-2021-3851MEDIUMCVSS 5.4EG 5.42021-10-19
firefly-iii is vulnerable to URL Redirection to Untrusted Site
- CVE-2021-38678MEDIUMCVSS 6.1EG 6.12022-01-14
An open redirect vulnerability has been reported to affect QNAP device running QcalAgent. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerabil…
- CVE-2021-39112MEDIUMCVSS 4.8EG 4.82021-08-25
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to redirect users to a malicious URL via a reverse tabnapping vulnerability in the Project Shortcuts feature. The affected versions are before version 8.5.15…
- CVE-2021-39191MEDIUMCVSS 4.7EG 4.72021-09-03
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-par…
- CVE-2021-39425MEDIUMCVSS 6.1EG 6.12023-07-20
SeedDMS v6.0.15 was discovered to contain an open redirect vulnerability. An attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.
- CVE-2021-39501MEDIUMCVSS 6.1EG 6.12021-09-07
EyouCMS 1.5.4 is vulnerable to Open Redirect. An attacker can redirect a user to a malicious url via the Logout function.
- CVE-2021-3989MEDIUMCVSS 6.1EG 6.12021-12-01
showdoc is vulnerable to URL Redirection to Untrusted Site
- CVE-2021-4000MEDIUMCVSS 6.1EG 6.52021-12-03
showdoc is vulnerable to URL Redirection to Untrusted Site
- CVE-2021-40852MEDIUMCVSS 6.1EG 6.12021-12-17
TCMAN GIM is affected by an open redirect vulnerability. This vulnerability allows the redirection of user navigation to pages controlled by the attacker. The exploitation of this vulnerability might allow a remote attacker to obtain infor…
- CVE-2021-41180MEDIUMCVSS 4.7EG 4.72022-03-08
Nextcloud talk is a self hosting messaging service. In versions prior 12.1.2 an attacker is able to control the link of a geolocation preview in the Nextcloud Talk application due to a lack of validation on the link. This could result in a…
- CVE-2021-41733MEDIUMCVSS 6.1EG 6.12021-11-08
Oppia 3.1.4 does not verify that certain URLs are valid before navigating to them.
- CVE-2021-41826MEDIUMCVSS 6.1EG 6.12021-09-30
PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessions_controller.rb open redirect.
- CVE-2021-42564MEDIUMCVSS 5.4EG 5.42021-11-30
An open redirect through HTML injection in confidential messages in Cryptshare before 5.1.0 allows remote attackers (with permission to provide confidential messages via Cryptshare) to redirect targeted victims to any URL via the '<meta ht…
- CVE-2021-4260MEDIUMCVSS 6.3EG 6.32022-12-19
A vulnerability was found in oils-js. It has been declared as critical. This vulnerability affects unknown code of the file core/Web.js. The manipulation leads to open redirect. The attack can be initiated remotely. The name of the patch i…
- CVE-2021-43058MEDIUMCVSS 6.1EG 6.12021-11-01
An open redirect vulnerability exists in Replicated Classic versions prior to 2.53.1 that could lead to spoofing. To exploit this vulnerability, an attacker could send a link that has a specially crafted URL and convince the user to click …
- CVE-2021-43064MEDIUMCVSS 4.3EG 4.32021-12-08
A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to use the device as a proxy and reach external or protected hosts via re…
- CVE-2021-4348HIGHCVSS 7.5EG 7.52023-06-07
The Ultimate GDPR & CCPA plugin for WordPress is vulnerable to unauthenticated settings import and export via the export_settings & import_settings functions in versions up to, and including, 2.4. This makes it possible for unauthenticated…
- CVE-2021-43532MEDIUMCVSS 6.1EG 6.12021-12-08
The 'Copy Image Link' context menu action would copy the final image URL after redirects. By embedding an image that triggered authentication flows - in conjunction with a Content Security Policy that stopped a redirection chain in the mid…
- CVE-2021-43777MEDIUMCVSS 6.8EG 6.82021-11-24
Redash is a package for data visualization and sharing. In Redash version 10.0 and prior, the implementation of Google Login (via OAuth) incorrectly uses the `state` parameter to pass the next URL to redirect the user to after login. The `…
- CVE-2021-43812MEDIUMCVSS 6.4EG 6.42021-12-16
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before 1.6.2 do not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect…
- CVE-2021-44054MEDIUMCVSS 4.3EG 6.12022-05-05
An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fi…
- CVE-2021-44528MEDIUMCVSS 6.1EG 6.12022-01-10
A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack t…
- CVE-2021-45328MEDIUMCVSS 6.1EG 6.12022-02-08
Gitea before 1.4.3 is affected by URL Redirection to Untrusted Site ('Open Redirect') via internal URLs.
- CVE-2021-45408MEDIUMCVSS 6.1EG 6.12022-02-04
Open Redirect vulnerability exists in SeedDMS 6.0.15 in out.Login.php, which llows remote malicious users to redirect users to malicious sites using the "referuri" parameter.
- CVE-2021-46366HIGHCVSS 8.8EG 8.82022-02-11
An issue in the Login page of Magnolia CMS v6.2.3 and below allows attackers to exploit both an Open Redirect vulnerability and Cross-Site Request Forgery (CSRF) in order to brute force and exfiltrate users' credentials.
Map vulnerabilities like CWE-601 to your infrastructure
EchelonGraph correlates every CVE — across CWE-601 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →