JVN#45898075: Drupal Form API fails to validate the redirect URL

Drupal is a content management system (CMS). Drupal’s Form API fails to validate the redirect URL, which may lead to unintended information disclosure.

Impact

A remote attacker may change the redirect URL of a form. As a result, information such as authentication credentials may be disclosed.

Solution

Update the software
Update to the latest version of Drupal core according to the information provided by the developer.

Products Affected

• Drupal core 7.x versions prior to 7.13