CVSS: 6.9EPSS: 0%CPEs: 2EXPL: 0CVE-2021-37699 – Open Redirect in Next.js versions below 11.1.0
https://notcve.org/view.php?id=CVE-2021-37699
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0. • https://github.com/vercel/next.js/releases/tag/v11.1.0 https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15242 – Open Redirect in Next.js
https://notcve.org/view.php?id=CVE-2020-15242
Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain. The issue is fixed in version 9.5.4. Next.js versiones de posteriores e incluyendo a 9.5.0 y anteriores a 9.5.4, son vulnerables a un redireccionamiento abierto. • https://github.com/vercel/next.js/security/advisories/GHSA-x56p-c8cg-q435 https://github.com/zeit/next.js/releases/tag/v9.5.4 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •