Open redirect in Drupal - CVE-2016-3164
Published: September 14, 2016
Vulnerability identifier: #VU426
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-3164
CWE-ID: CWE-601
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows attackers to get access to potentially sensitive information.
The vulnerability is caused by using of external URL. After victim visits specially crafted adress a malicious user can easily obtain valid user's data.
Successful exploitation of this vulnerability results in gaining access to potentially sensitive information by remote attacker.
The vulnerability is caused by using of external URL. After victim visits specially crafted adress a malicious user can easily obtain valid user's data.
Successful exploitation of this vulnerability results in gaining access to potentially sensitive information by remote attacker.
How to mitigate CVE-2016-3164
Update 6.x to 6.38.
https://www.drupal.org/drupal-6.38-release-notes
Update 7.x to 7.43.
https://www.drupal.org/project/drupal/releases/7.43
Update 8.0.x. to 8.0.4.
https://www.drupal.org/project/drupal/releases/8.0.4