Drupal Security TeamDRUPAL-SA-CONTRIB-2015-123jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-123
0.005 Low
EPSS
Percentile
76.6%
The jQuery Update module enables you to update jQuery on your site.
The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-002).
Only sites with the Overlay module enabled are vulnerable.
CVE identifier(s) issued
- CVE-2015-3233
Versions affected
- jQuery Update 7.x-2.x versions prior to 7.x-2.6
Drupal core is not affected. If you do not use the contributed jQuery Update module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the jQuery Update module 2.x branch, upgrade to jQuery Update 7.x-2.6
Also see the jQuery Update project page.
Reported by
- Jeroen Vreuls
- David Rothstein of the Drupal Security Team
Fixed by
- Pere Orga of the Drupal Security Team
- David Rothstein of the Drupal Security Team
- Rob Loach the module maintainer
Coordinated by
References
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/node/2507555
www.drupal.org/project/jquery_update
www.drupal.org/SA-CORE-2015-002
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/robloach
www.drupal.org/user/124982
www.drupal.org/user/2301194
www.drupal.org/user/2700643
www.drupal.org/writing-secure-code
Related
