Drupal Overlay Module Open Redirect Vulnerability Fixed by 7.41


Description   (:A vulnerability was reported in Drupal.:A remote attacker could exploit it via unspecified vectors in order to redirect their victim to another arbitrary website.::This vulnerability, located in Overlay JavaScript file, is exploitable only if the victim have the "Access the administrative overlay" permission and if the Overlay module is enabled.::The drupal7 packages provided by Debian Wheezy 7 and Jessie 8 are vulnerable.)
     
Vulnerable Products   Vulnerable OS:
Fedora (Red Hat) - 21, 22, 23FreeBSD (FreeBSD) - AllGNU/Linux (Debian) - 7, 8Vulnerable Software:
Drupal (Drupal) - 7.0, 7.1, 7.10, 7.11, 7.12, ..., 7.5, 7.6, 7.7, 7.8, 7.9
     
Solution   Fixed drupal7 packages for Debian Wheezy 7 are available in LTS section.
     
CVE   CVE-2015-7943
     
References   - SA-CORE-2015-004 : Core - Overlay Open Redirect
https://www.drupal.org/SA-CORE-2015-004
- SA-CONTRIB-2015-158 : jQuery Update - Open Redirect
https://www.drupal.org/node/2598426
- SA-CONTRIB-2015-159 : LABjs - Open Redirect
https://www.drupal.org/node/2598434
- Debian Security Tracker : drupal7
https://security-tracker.debian.org/tracker/CVE-2015-7943
- VuXML : drupal -- open redirect vulnerability
https://www.vuxml.org/freebsd/75f39413-7a00-11e5-a2a1-002590263bf5.html
- FEDORA-2015-54365 : Fedora 21 Update: drupal7-7.41-1.fc21
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170709.html
- FEDORA : Fedora 22 Update: drupal7-7.41-1.fc22
https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171006.html
- FEDORA : Fedora 21 Update: drupal7-jquery_update-2.7-1.fc21
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171671.html
- FEDORA-2015-0 : Fedora 22 Update: drupal7-jquery_update-2.7-1.fc22
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171661.html
- FEDORA : Fedora 23 Update: drupal7-jquery_update-2.7-1.fc23
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171654.html
- DLA 548-1 : drupal7 security update
https://lists.debian.org/debian-lts-announce/2016/07/msg00009.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Site with open redirect
4.0.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2015-10-21 

 Target Type 
Client 

 Possible exploit 
Remote