CVE-2015-2749
Published: 13 September 2017
Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.
From the Ubuntu Security Team
It was discovered that Drupal did not properly protect against open redirects. An attacker could use this vulnerability to send unsuspecting users to 3rd party sites and potentially carry out phishing attacks.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
drupal6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| lucid |
Ignored
(reached end-of-life)
|
|
| precise |
Does not exist
(precise was needed)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(6.35)
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
Patches: upstream: http://cgit.drupalcode.org/drupal/commit/?h=6.x&id=8ffc5db3c0ab926f3d4b2cf8bc51714c8c0f3c93 |
||
|
drupal7 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(7.32-1+deb8u3)
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| lucid |
Does not exist
|
|
| precise |
Does not exist
(precise was needed)
|
|
| trusty |
Released
(7.26-1ubuntu0.1+esm1)
|
|
| upstream |
Released
(7.32-1+deb8u2)
|
|
| utopic |
Released
(7.32-1+deb8u4build0.14.10.1)
|
|
| vivid |
Not vulnerable
(7.32-1+deb8u3)
|
|
| wily |
Not vulnerable
(7.32-1+deb8u3)
|
|
| xenial |
Not vulnerable
(7.32-1+deb8u3)
|
|
| yakkety |
Not vulnerable
(7.32-1+deb8u3)
|
|
| zesty |
Not vulnerable
(7.32-1+deb8u3)
|
|
|
Patches: upstream: http://cgit.drupalcode.org/drupal/commit/?h=7.x&id=b44056d2f8e8c71d35c85ec5c2fb8f7c8a02d8a8 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.1 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |