5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.005 Low
EPSS
Percentile
76.5%
A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.
This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange).
The Field UI module uses a βdestinationsβ query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.
This vulnerability is mitigated by the fact that only sites with the Field UI module enabled are affected.
Drupal 6 core is not affected, but see the similar advisory for the Drupal 6 contributed CCK module: SA-CONTRIB-2015-126
The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.
This vulnerability is mitigated by the fact that it can only be used against site users who have the βAccess the administrative overlayβ permission, and that the Overlay module must be enabled.
On sites utilizing Drupal 7βs render cache system to cache content on the site by user role, private content viewed by user 1 may be included in the cache and exposed to non-privileged users.
This vulnerability is mitigated by the fact that render caching is not used in Drupal 7 core itself (it requires custom code or the contributed Render Cache module to enable) and that it only affects sites that have user 1 browsing the live site. Exposure is also limited if an administrative role has been assigned to the user 1 account (which is done, for example, by the Standard install profile that ships with Drupal core).
Install the latest version:
Also see the Drupal core project page.
Impersonation in the OpenID module:
Open redirect in the Field UI module:
Open redirect in the Overlay module:
Information disclosure in the render cache system:
Impersonation in the OpenID module:
Open redirect in the Field UI module:
Open redirect in the Overlay module:
Information disclosure in the render cache system:
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/drupal-6.36-release-notes
www.drupal.org/drupal-7.38-release-notes
www.drupal.org/node/2507753
www.drupal.org/project/drupal
www.drupal.org/project/render_cache
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/catch
www.drupal.org/u/david_rothstein
www.drupal.org/u/klausi
www.drupal.org/u/ksenzee
www.drupal.org/user/1043862
www.drupal.org/user/108450
www.drupal.org/user/1096424
www.drupal.org/user/1291584
www.drupal.org/user/1852732
www.drupal.org/user/216078
www.drupal.org/user/2301194
www.drupal.org/user/2700643
www.drupal.org/user/3101253
www.drupal.org/user/39567
www.drupal.org/user/99777
www.drupal.org/writing-secure-code