PYSEC-2023-211

views/switch.py in django-grappelli aka Django Grappelli before 2.15.2 attempts to prevent external redirection with startswith"/" but this does not consider a protocol-relative URL e.g., //example.com attack...

Xxe

views/switch.py in django-grappelli aka Django Grappelli before 2.15.2 attempts to prevent external redirection with startswith"/" but this does not consider a protocol-relative URL e.g., //example.com attack...

CVE-2021-46898

CVE-2021-46898 – django-grappelli protocol-relative URL redirect issue Affected component: views/switch.py in django-grappelli (also known as Django Grappelli) prior to version 2.15.2. The vulnerability arises from an approach that attempts to block external redirects using a startswith("/") chec...

CVE-2021-46898

views/switch.py in django-grappelli aka Django Grappelli before 2.15.2 attempts to prevent external redirection with startswith"/" but this does not consider a protocol-relative URL e.g., //example.com attack...

CVE-2023-38059

The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload. This can be used to retreive the IP of the user.This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; OTRS Community Edition: from 6.0.X through...

Code injection

The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload. This can be used to retreive the IP of the user.This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; OTRS Community Edition: from 6.0.X through...

CVE-2023-38059 External pictures can be loaded even if not allowed by configuration

The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload. This can be used to retreive the IP of the user.This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; OTRS Community Edition: from 6.0.X through...

SUSE CVE-2013-2920

The DoResolveRelativeHost function in url/urlcanonrelative.cc in Google Chrome before 30.0.1599.66 allows remote attackers to cause a denial of service out-of-bounds read via a relative URL containing a hostname, as demonstrated by a protocol-relative URL beginning with a //www.google.com/...

CVE-2022-25295

This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parser.FormValue"next" to extract path and eventually redirect user to a relative URL, but if next parameter starts with multiple...

Gophish 输入验证错误漏洞

Gophish is an open source phishing framework. A security vulnerability exists in Gophish versions prior to 0.12.0, which can be exploited by attackers to redirect users to a relative url...

Internet Bug Bounty: [CVE-2022-35949]: undici.request vulnerable to SSRF using absolute / protocol-relative URL on pathname

GHSA: https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3 Report: https://hackerone.com/reports/1642017 Impact SSRF...

GHSA-F7CM-CCFP-3Q4R Django Incorrectly Validates URLs

The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // slash slash in a URL, which triggers a scheme-relative URL...

CVE-2021-37403

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet user-generated content when a sharing link is created and an App Loader relative URL is used...

Cross site scripting

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet user-generated content when a sharing link is created and an App Loader relative URL is used...

CVE-2021-37403

OX App Suite vulnerable to XSS via a code snippet in user-generated content when a sharing link is created and an App Loader relative URL is used. Affected versions: before 7.10.3-rev32 and before 7.10.4-rev18. The vulnerability stems from how the App Loader relative URL handles shared links. Rem...

PT-2019-15248 · WordPress · Wordpress

Name of the Vulnerable Software and Affected Versions: WordPress versions prior to 5.2.4 Description: The issue is related to a Server Side Request Forgery SSRF vulnerability. This occurs because Windows paths are mishandled during certain validation of relative URLs. Recommendations: For version...

Important: mod_auth_mellon

Issue Overview: A vulnerability was found in a previous version of modauthmellon. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them ...

CVE-2019-3877

A vulnerability was found in modauthmellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. Thi...

CVE-2019-3877

A vulnerability was found in modauthmellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. Thi...

Cross site scripting

Cross-site scripting XSS vulnerability in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1, when is configured with a relative URL, allows remote authenticated users to inject arbitrary web script or HTML via wikitext, as demonstrated by a wikilink to...