Drupal Anonymous Open Redirect

2024-05-1520:54:52

CWE-601

GitHub Advisory Database

github.com

drupal

open redirect

query parameter

malicious users

social engineering

6.9 Medium

AI Score

Confidence

High

JSON

Drupal core and contributed modules frequently use a “destination” query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

Affected configurations

Vulners

Node

drupaldrupalRange<8.6.2

drupaldrupalRange<8.5.8

CPENameOperatorVersion
drupal/drupallt8.6.2
drupal/drupallt8.5.8

CPE	Name	Operator	Version
	drupal/drupal	lt	8.6.2
	drupal/drupal	lt	8.5.8

References

github.com/advisories/GHSA-x6v2-xmrq-574j

github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-3.yaml

www.drupal.org/sa-core-2018-006

6.9 Medium

AI Score

Confidence

High

JSON