#VU15403 Open redirect in Drupal


Published: 2018-10-18

Vulnerability identifier: #VU15403

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: N/A

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
Drupal
Web applications / CMS

Vendor: Drupal

Description

The vulnerability allows a remote authenticated attacker to perform open redirection attacks.

The vulnerability exists due to the attacker with "administer paths" permissions can use a particular path in the URL that leads to open redirect.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Drupal: 8.6.0 - 8.6.1, 8.5.0 - 8.5.7, 7.0 - 7.60

Fixed software versions

CPE

External links
http://www.drupal.org/sa-core-2018-006

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Debian update for drupal7
Multiple vulnerabilities in Drupal