#VU427 Open redirect in Drupal - CVE-2015-7943

Cybersecurity Help s.r.o.

Published: 2016-09-14

Vulnerability identifier: #VU427

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-7943

CWE-ID: CWE-601

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Drupal
Web applications / CMS

Vendor: Drupal

Description
The vulnerability allows attackers to obtain potentially sensitive information.
The weakness exists due to unproper functionality of Overlay module that unsufficiently checks the URLs. The module also shows administrative page in the browser instead of its substitution.
Successful exploitation of this vulnerability may result in obtaining potentially sensitive data.

Mitigation
Update to 7.41.
https://www.drupal.org/drupal-7.41-release-notes

Vulnerable software versions

Drupal: 7.0 - 7.40

External links
https://www.drupal.org/SA-CORE-2015-004

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Debian update for drupal7

Arch Linux update for drupal

Fedora EPEL 5 update for drupal7

Fedora 23 update for drupal7

Fedora EPEL 7 update for drupal7

Fedora 22 update for drupal7

Fedora EPEL 6 update for drupal7