#VU427 Open redirect in Drupal
Vulnerability identifier: #VU427
Vulnerability risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-601
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Drupal
Web applications /
CMS
Vendor: Drupal
Description
The vulnerability allows attackers to obtain potentially sensitive information.
The weakness exists due to unproper functionality of Overlay module that unsufficiently checks the URLs. The module also shows administrative page in the browser instead of its substitution.
Successful exploitation of this vulnerability may result in obtaining potentially sensitive data.
Mitigation
Update to 7.41.
https://www.drupal.org/drupal-7.41-release-notes
Vulnerable software versions
Drupal: 7.0 - 7.40
External links
http://www.drupal.org/SA-CORE-2015-004
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
