#VU426 Open redirect in Drupal - CVE-2016-3164
Published: September 14, 2016
Vulnerability identifier: #VU426
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-3164
CWE-ID: CWE-601
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Drupal
Drupal
Software vendor:
Drupal
Drupal
Description
The vulnerability allows attackers to get access to potentially sensitive information.
The vulnerability is caused by using of external URL. After victim visits specially crafted adress a malicious user can easily obtain valid user's data.
Successful exploitation of this vulnerability results in gaining access to potentially sensitive information by remote attacker.
The vulnerability is caused by using of external URL. After victim visits specially crafted adress a malicious user can easily obtain valid user's data.
Successful exploitation of this vulnerability results in gaining access to potentially sensitive information by remote attacker.
Remediation
Update 6.x to 6.38.
https://www.drupal.org/drupal-6.38-release-notes
Update 7.x to 7.43.
https://www.drupal.org/project/drupal/releases/7.43
Update 8.0.x. to 8.0.4.
https://www.drupal.org/project/drupal/releases/8.0.4