Acquia Cloud Site Factory Connector - Less Critical - Open Redirect - SA-CONTRIB-2015-125

Acquia Cloud Site Factory provides an environment and a robust set of tools that simplify management of many Drupal sites, allowing you to quickly deliver and manage any number of websites.

The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-002).

Only sites with the Overlay module enabled are vulnerable.

CVE identifier(s) issued

• CVE-2015-3233

Versions affected

• Acquia Cloud Site Factory 7.x-1.x versions prior to 7.x-1.14

Drupal core is not affected. If you do not use the contributed Acquia Cloud Site Factory Connector module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Acquia Cloud Site Factory module for Drupal 7.x, upgrade to Acquia Cloud Site Factory 7.x-1.14

Also see the Acquia Cloud Site Factory Connector project page.

Reported by

• Jeroen Vreuls
• David Rothstein of the Drupal Security Team
• Pere Orga of the Drupal Security Team

Fixed by

• Stéphane Corlosquet, module maintainer and member of the Drupal Security Team

Coordinated by

• The Drupal Security Team