Drupal core and contributed modules frequently use a “destination” query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.
CPE | Name | Operator | Version |
---|---|---|---|
drupal/core | eq | 8.4.0 | |
drupal/core | eq | 8.2.6 | |
drupal/core | eq | 8.4.5 | |
drupal/core | eq | 8.1.6 | |
drupal/core | eq | 8.3.7 | |
drupal/core | eq | 8.1.7 | |
drupal/core | eq | 8.3.4 | |
drupal/core | eq | 8.2.0 | |
drupal/core | eq | 8.3.0-beta1 | |
drupal/core | eq | 8.2.3 |