CVSS: 6.9EPSS: 0%CPEs: 2EXPL: 0CVE-2021-37699 – Open Redirect in Next.js versions below 11.1.0
https://notcve.org/view.php?id=CVE-2021-37699
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0. • https://github.com/vercel/next.js/releases/tag/v11.1.0 https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15242 – Open Redirect in Next.js
https://notcve.org/view.php?id=CVE-2020-15242
Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain. The issue is fixed in version 9.5.4. Next.js versiones de posteriores e incluyendo a 9.5.0 y anteriores a 9.5.4, son vulnerables a un redireccionamiento abierto. • https://github.com/vercel/next.js/security/advisories/GHSA-x56p-c8cg-q435 https://github.com/zeit/next.js/releases/tag/v9.5.4 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.0EPSS: 16%CPEs: 1EXPL: 0CVE-2020-5284 – Directory Traversal in Next.js versions below 9.3.2
https://notcve.org/view.php?id=CVE-2020-5284
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2. • https://github.com/zeit/next.js/releases/tag/v9.3.2 https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2018-18282
https://notcve.org/view.php?id=CVE-2018-18282
Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page. Next.js 7.0.0 y 7.0.1 tiene Cross-Site Scripting (XSS) mediante las páginas /_error 404 o 500. • https://github.com/ossf-cve-benchmark/CVE-2018-18282 https://github.com/zeit/next.js/releases/tag/7.0.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 17EXPL: 1CVE-2018-6184
https://notcve.org/view.php?id=CVE-2018-6184
ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace. ZEIT Next.js 4 en versiones anteriores a la 4.2.3 tiene un salto de directorio bajo el espacio de nombre de petición /_next. • https://github.com/ossf-cve-benchmark/CVE-2018-6184 https://github.com/zeit/next.js/releases/tag/4.2.3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •