Open Redirect

Affecting drupal/core package, versions >=7.0.0, <7.60 || >=8.0.0, <8.5.8 || >=8.6.0, <8.6.2

high severity

Overview

drupal/drupal is an open source content management platform powering millions of websites and applications.

Affected versions of this package are vulnerable to Open Redirect. The path module allows users with the administer paths to create pretty URLs for content. An attacker user could enter a particular path that triggers an open redirect to a malicious url.

Remedaition

Upgrade drupal/drupal to versions 7.60, 8.5.8, 8.6.2 or higher.

References

Do your applications use this vulnerable package?

Credit
Brian Osborne
CWE
CWE-601
Snyk ID
SNYK-PHP-DRUPALCORE-72482
Disclosed
17 Oct, 2018
Published
22 Oct, 2018