#VU433 Open redirect in Drupal - CVE-2015-3233

Cybersecurity Help s.r.o.

Published: 2016-09-14

Vulnerability identifier: #VU433

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-3233

CWE-ID: CWE-601

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Drupal
Web applications / CMS

Vendor: Drupal

Description
The vulnerability allows attackers to obtain potentially sensitive information.
The weakness exists due to unproper functionality of Overlay module that unsufficiently checks the URLs. The module also shows administrative page in the browser instead of its substitution.
Successful exploitation of this vulnerability may result in obtaining potentially sensitive data.

Mitigation
Update 7.x to 7.38.
https://www.drupal.org/drupal-7.38-release-notes

Vulnerable software versions

Drupal: 7.0 - 7.37

External links
https://www.drupal.org/SA-CORE-2015-002

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Debian update for drupal7

Fedora EPEL 5 update for drupal7

Fedora EPEL 7 update for drupal7

Fedora EPEL 6 update for drupal7

Fedora 21 update for drupal7

Fedora 22 update for drupal7