Skip to content

Drupal Anonymous Open Redirect

Moderate severity GitHub Reviewed Published May 15, 2024 to the GitHub Advisory Database

Package

composer drupal/drupal (Composer)

Affected versions

>= 8.0.0, < 8.5.8
>= 8.6.0, < 8.6.2

Patched versions

8.5.8
8.6.2

Description

Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

References

Published to the GitHub Advisory Database May 15, 2024
Reviewed May 15, 2024

Severity

Moderate
5.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-x6v2-xmrq-574j

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.