CVE-2015-2750
Published: 13 September 2017
Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence.
From the Ubuntu security team
It was discovered that Drupal did not properly protect against open redirects. An attacker could use this vulnerability to send unsuspecting users to 3rd party sites and potentially carry out phishing attacks.
Priority
Medium
CVSS 3 base score: 6.1
Status
| Package | Release | Status |
|---|---|---|
|
drupal6 Launchpad, Ubuntu, Debian |
Upstream |
Released
(6.35)
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
Patches: Upstream: http://cgit.drupalcode.org/drupal/commit/includes/menu.inc?h=6.x&id=8ffc5db3c0ab926f3d4b2cf8bc51714c8c0f3c93 |
||
|
drupal7 Launchpad, Ubuntu, Debian |
Upstream |
Released
(7.32-1+deb8u2)
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Not vulnerable
(7.32-1+deb8u3)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was needed)
|
|
|
Patches: Upstream: http://cgit.drupalcode.org/drupal/commit/includes/common.inc?h=7.x&id=b44056d2f8e8c71d35c85ec5c2fb8f7c8a02d8a8 |
||