CVEbaza.plSłownik CWECWE-698
Common Weakness Enumeration

CWE-698

Execution After Redirect (EAR)

Kategoria: BaseCVE: 17
Opis

Aplikacja webowa wysyła przekierowanie do innej lokalizacji, ale zamiast się zakończyć, wykonuje dodatkowy kod. Może to prowadzić do wykonania niechcianego kodu lub ujawnienia poufnych informacji przed faktycznym przekierowaniem użytkownika.

Description (EN)

The web application sends a redirect to another location, but instead of exiting, it executes additional code.

Podatności CVE z CWE-698 (17)
9.8
CVSS
CRITICAL
CVE-2026-2699

Podatność w Progress ShareFile Storage Zones Controller (Customer Managed) umożliwia nieuwierzytelnionemu atakującemu dostęp do chronionych stron konfiguracyjnych systemu. W konsekwencji może dojść do zmiany konfiguracji systemu oraz wykonania zdalnego kodu (RCE).

pub. 2026-04-02
9.8
CVSS
CRITICAL
CVE-2025-8350

Podatność w systemie BiEticaret CMS (Inrove Software and Internet Services) umożliwia ominięcie uwierzytelnienia poprzez mechanizm Execution After Redirect (EAR) oraz brak zabezpieczeń krytycznych funkcji. Zagrożenie jest oceniane jako krytyczne (CVSS 9.8), ponieważ nie wymaga żadnych uprawnień ani interakcji użytkownika.

pub. 2026-02-19
9.2
CVSS
CRITICAL
CVE-2026-58455

Dockwatch through 0.6.567 contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands by exploiting a missing exit() after an authentication redirect in loader.php combined with unsanitized input passed to shell_exec() in ajax/compose.php. Attackers can seed the required session flag through the incomplete auth check, then inject arbitrary commands via the composePath POST parameter in the composePull action to achieve full host compromise, facilitated by the standard deployment mounting of the Docker socket.

pub. 2026-07-02
8.7
CVSS
HIGH
CVE-2025-6967

Execution After Redirect (EAR) vulnerability in Sarman Soft Software and Technology Services Industry and Trade Ltd. Co. CMS allows JSON Hijacking (aka JavaScript Hijacking), Authentication Bypass. This issue affects CMS: through 10022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

pub. 2026-02-10
8.6
CVSS
HIGH
CVE-2024-48766

NetAlertX 24.7.18 before 24.10.12 allows unauthenticated file reading because an HTTP client can ignore a redirect, and because of factors related to strpos and directory traversal, as exploited in the wild in May 2025. This is related to components/logs.php.

pub. 2025-05-13
7.3
CVSS
HIGH
CVE-2024-3376

A vulnerability classified as critical has been found in SourceCodester Computer Laboratory Management System 1.0. This affects an unknown part of the file config.php. The manipulation of the argument url leads to execution after redirect. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-259497 was assigned to this vulnerability.

pub. 2024-04-06
7.3
CVSS
HIGH
CVE-2024-2635

The configuration pages available are not intended to be placed on an Internet facing web server, as they expose file paths to the client, who can be an attacker. Instead of rewriting these pages to avoid this vulnerability, they will be dismissed from future releases of Cegid Meta4 HR, as they do not offer product functionality

pub. 2024-03-19
7.3
CVSS
HIGH
CVE-2024-2569

A vulnerability was found in SourceCodester Employee Task Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin-manage-user.php. The manipulation leads to execution after redirect. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257072.

pub. 2024-03-18
7.3
CVSS
HIGH
CVE-2024-2570

A vulnerability was found in SourceCodester Employee Task Management System 1.0. It has been classified as critical. This affects an unknown part of the file /edit-task.php. The manipulation leads to execution after redirect. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257073 was assigned to this vulnerability.

pub. 2024-03-18
7.3
CVSS
HIGH
CVE-2024-2571

A vulnerability was found in SourceCodester Employee Task Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /manage-admin.php. The manipulation leads to execution after redirect. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257074 is the identifier assigned to this vulnerability.

pub. 2024-03-18
7.3
CVSS
HIGH
CVE-2024-2572

A vulnerability was found in SourceCodester Employee Task Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /task-details.php. The manipulation leads to execution after redirect. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257075.

pub. 2024-03-18
7.3
CVSS
HIGH
CVE-2024-2573

A vulnerability classified as critical has been found in SourceCodester Employee Task Management System 1.0. Affected is an unknown function of the file /task-info.php. The manipulation leads to execution after redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257076.

pub. 2024-03-18
6.5
CVSS
MEDIUM
CVE-2025-53077

An execution after redirect in Samsung DMS(Data Management Server) allows attackers to execute limited functions without permissions. An attacker could compromise the integrity of the platform by executing this vulnerability.

pub. 2025-07-29
5.5
CVSS
MEDIUM
CVE-2025-9848

A security vulnerability has been detected in ScriptAndTools Real Estate Management System 1.0. The affected element is an unknown function of the file /admin/userlist.php. Such manipulation leads to execution after redirect. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

pub. 2025-09-03
2.1
CVSS
LOW
CVE-2026-10271

W systemie a4m4 Student-Management-System do wersji f0c5f6842c5e8c431ff02b5260a565ca844df3a0 wykryto podatność. Narażona funkcja znajduje się w pliku admin/ komponentu Admin Endpoint, a manipulacja parametrem uid prowadzi do wykonania kodu po przekierowaniu — atak możliwy jest zdalnie. Exploit został opublikowany i jest aktywnie wykorzystywany. Ze względu na rolling release brak szczegółów wersji; podatność dotyczy wielu endpoints, a projekt nie odpowiedział jeszcze na zgłoszone ostrzeżenie.

pub. 2026-06-01
2.1
CVSS
LOW
CVE-2026-3262

W systemie go2ismail Asp.Net-Core-Inventory-Order-Management-System do wersji 9.20250118 odkryto podatność. Dotyczy ona nieznanej funkcji komponentu Administrative Interface, która może prowadzić do open redirect. Atak może być przeprowadzony zdalnie, exploit został ujawniony publicznie, a producent nie udzielił odpowiedzi na zgłoszenie.

pub. 2026-02-26
2.1
CVSS
LOW
CVE-2026-3264

W go2ismail Free-CRM do wersji b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1 odkryta została podatność w nieznanej funkcjonalności Administrative Interface. Manipulacja może prowadzić do wykonania kodu po przekierowaniu (execution after redirect). Atak można przeprowadzić zdalnie, a exploit został ujawniony publicznie. Produkt korzysta z rolling release, dlatego informacje o wersji są niedostępne, a producent nie odpowiedział na wcześniejsze powiadomienie.

pub. 2026-02-26
Informacje
ID: CWE-698
Typ: Base
Podatności: 17
MITRE CWE ↗
← Słownik CWE