Drupal 7.x < 7.41 Overlay Module Open Redirect

low Nessus Network Monitor Plugin ID 9219

Synopsis

The remote server is hosting an outdated installation of Drupal that is affected by an open redirect vulnerability.

Description

The remote web server is running a version of Drupal that is 7.x prior to 7.41. It is, therefore, affected by an open redirect vulnerability in the Overlay module due to improper validation of URLs before displaying their contents. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to redirect a victim from an intended legitimate website to an arbitrary website. This vulnerability can only be exploited against Drupal users who have both the 'Access the administrative overlay' permission and the Overlay module enabled.

Solution

Upgrade to Drupal 7.41, or later.

See Also

https://www.drupal.org/SA-CORE-2015-004

https://www.drupal.org/drupal-7.41-release-notes

https://www.drupal.org/security

Plugin Details

Severity: Low

ID: 9219

Family: CGI

Published: 4/8/2016

Updated: 3/6/2019

Nessus ID: 86673

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:drupal:drupal

Patch Publication Date: 10/21/2015

Vulnerability Publication Date: 6/17/2015

Reference Information

CVE: CVE-2015-7943

BID: 77293