|
Description
|
|
Some weaknesses have been reported in Drupal, which can be exploited by malicious people to conduct spoofing attacks.
Input passed to the "destination" GET parameter related to certain pages is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.
The weaknesses are reported in versions prior to 6.35 and prior to 7.35.
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable Software:
Drupal 6.xDrupal 7.x
|
|
|
|
|
|
Solution
|
|
Update to version 6.35 or 7.35.
|
|
|
|
|
|
CVE
|
|
CVE-2015-2750
CVE-2015-2749
|
|
|
|
|
|
References
|
|
DRUPAL-SA-CORE-2015-001:
https://www.drupal.org/SA-CORE-2015-001
Drupal Release Notes:
https://www.drupal.org/drupal-6.35-release-notes
https://www.drupal.org/drupal-7.35-release-notes
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
