CVE-2026-41455

WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network...

CVE-2023-35158

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the restore template to perform a XSS, e.g. by using URL such as:...

USN-6913-1 php-cas vulnerability

Filip Hejsek discovered that phpCAS was using HTTP headers to determine the service URL used to validate tickets. A remote attacker could possibly use this issue to gain access to a victim's account on a vulnerable CASified service. This security update introduces an incompatible API change. Afte...

Code injection

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as:...

CVE-2023-35160

XWiki Platform (2.5-milestone-2 and earlier) is affected by a reflected cross-site scripting (XSS) vulnerability in the resubmit template, exploitable via crafted URLs using back and xcontinue parameters (e.g., xpage=resubmit&resubmit=javascript:alert(document.domain)&xback=javascript:alert(docum...

GHSA-J27G-R58Q-624W Craft CMS subject to URL forgery

Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message...

Craft CMS subject to URL forgery

Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message...

No CSRF protection on the password change form

Impact It's possible for forge an URL that, when accessed by an admin, will reset the password of any user in XWiki. Patches The problem has been patched in XWiki 12.10.5, 13.2RC1. Workarounds It's possible to apply the patch manually by modifying the registermacros.vm template like in...

Mozilla Firefox URL Forgery Vulnerability

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security vulnerability exists in previous versions of Mozilla Firefox 77. An attacker could exploit the vulnerability to forge URLs...

DRUPAL-CONTRIB-2019-075

Open Social is a Drupal distribution for online communities. The included social\magic\login module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forg...

CVE-2019-12836

CVE-2019-12836 affects Bobronix JEditor editor for Jira (JEditor) prior to version 3.0.6. The vulnerability is a cross-site request forgery (CSRF) in which an attacker can induce an authenticated user to follow a link that causes a forged request to an out-of-origin domain, enabling theft of sess...

Google Chromium Omnibox URL Forgery Vulnerability

Google Chromium is a web browser developed by Google, Omnibox is a real-time search engine. A security vulnerability exists in Omnibox in versions prior to Google Chromium 69.0.3497.100. An attacker can exploit the vulnerability to forge URLs...

Google Chrome Omnibox URL Spoofing Vulnerability (CNVD-2018-18759)

Google Chrome is a web browser developed by Google, Inc. and Omnibox is a real-time search engine. A security vulnerability exists in Omnibox in versions of Google Chrome prior to 68.0.3440.75. A remote attacker can exploit the vulnerability to forge URLs with the help of a specially crafted...

Google Chrome OmniBox URL Forgery Vulnerability (CNVD-2018-08820)

Google Chrome is a web browser developed by Google, Inc. and Omnibox is a real-time search engine. A security vulnerability exists in OmniBox in versions of Google Chrome prior to 65.0.3325.146. A remote attacker can exploit this vulnerability to forge URLs by tricking users into visiting special...

Google Chrome URL address forgery vulnerability

Google Chrome is a popular web browser. An address forgery vulnerability exists in Google Chrome Omnibox, which allows remote attackers to exploit the vulnerability to build malicious WEB pages that can be tricked into parsing...

Updated drupal packages fix security vulnerabilities

Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password CVE-2015-2559. Under certain circumstances, malicious users can construct a URL that will trick users into being redirected to a 3rd...