Drupal External URL injection through URL aliases leading to Open Redirect

2024-05-1520:24:16

CWE-601

GitHub Advisory Database

github.com

drupal

open redirect

url aliases

path module

malicious url

7 High

AI Score

Confidence

High

JSON

The path module in Drupal allows users with the ‘administer paths’ to create pretty URLs for content.
In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

CPENameOperatorVersion
drupal/corelt8.6.2
drupal/corelt8.5.8
drupal/corelt7.60

Name	Operator	Version
drupal/core	lt	8.6.2
drupal/core	lt	8.5.8
drupal/core	lt	7.60

References

github.com/advisories/GHSA-7f4f-p7mq-p4fv

github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2018-10-17-2.yaml

www.drupal.org/sa-core-2018-006

7 High

AI Score

Confidence

High

JSON