GHSA-7f4f-p7mq-p4fv – drupal/core

Package

Manager: composer
Name: drupal/core
Vulnerable Version: >=7.0 <7.60 || >=8.0.0 <8.5.8 || >=8.6.0 <8.6.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Drupal External URL injection through URL aliases leading to Open Redirect The path module in Drupal allows users with the 'administer paths' to create pretty URLs for content. In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

Metadata

Created: 2024-05-15T20:24:16Z
Modified: 2024-05-15T20:24:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-7f4f-p7mq-p4fv/GHSA-7f4f-p7mq-p4fv.json
CWE IDs: ["CWE-601"]
Alternative ID: N/A
Finding: F156
Auto approve: 1