logo

Database

Uncontrolled external site redirect In drupal/core

Description

Drupal Anonymous Open Redirect Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GCVE-GHSA-gfvf-2f25-f34r

References

1. https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2018-10-17-3.yaml2. https://www.drupal.org/sa-core-2018-006

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.