Drupal core and contributed modules frequently use a βdestinationβ query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.
CPE | Name | Operator | Version |
---|---|---|---|
drupal/core | lt | 8.6.2 | |
drupal/core | lt | 8.5.8 |