Drupal Anonymous Open Redirect

Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

Published: May 15, 2024
Updated: Jun 27, 2024
GHSA: GHSA-x6v2-xmrq-574j
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CWEs:

CWE-601

Affected Software
References

Software	From	Fixed in
drupal / drupal	8.0.0	8.5.8
drupal / drupal	8.6.0	8.6.2

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2018-10-17-3.yaml
https://www.drupal.org/sa-core-2018-006

Vulnerability Database

289,689

Drupal Anonymous Open Redirect