Drupal External URL injection through URL aliases leading to Open Redirect · GHSA-r67r-42wx-c8r7 · GitHub Advisory Database · GitHub

Drupal External URL injection through URL aliases leading to Open Redirect

Moderate severity GitHub Reviewed Published May 15, 2024 to the GitHub Advisory Database • Updated May 15, 2024

Package

drupal/drupal (Composer)

Affected versions

>= 7.0, < 7.60

>= 8.0.0, < 8.5.8

>= 8.6.0, < 8.6.2

Patched versions

7.60

8.5.8

8.6.2

Description

The path module in Drupal allows users with the 'administer paths' to create pretty URLs for content.
In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

References

Published to the GitHub Advisory Database May 15, 2024

Reviewed May 15, 2024

Last updated May 15, 2024