CVE-2015-2749
MEDIUMDrupal 6.x < 6.35 and 7.x < 7.35 - Open Redirect via Destination Parameter
Title source: llmDescription
Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.
References (6)
Core 6
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1204753
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/73219
Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/SA-CORE-2015-001
Patch, Vendor Advisory x_refsource_confirm
http://cgit.drupalcode.org/drupal/commit/?id=d2304f840c43c190c6e136ee9901ed9797b4c3ca
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2015/dsa-3200
Mailing List, Patch, VDB Entry mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/03/26/4
Scores
CVSS v3
6.1
EPSS
0.0056
EPSS Percentile
68.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-601
Status
published
Products (38)
debian/debian_linux
8.0
debian/debian_linux
9.0
drupal/drupal
6.0 (10 CPE variants)
drupal/drupal
6.1
drupal/drupal
6.2
drupal/drupal
6.3
drupal/drupal
6.4
drupal/drupal
6.5
drupal/drupal
6.6
drupal/drupal
6.7
... and 28 more
Published
Sep 13, 2017
Tracked Since
Feb 18, 2026