CVE-2015-2750
MEDIUMDrupal 6.x < 6.35 and 7.x < 7.35 - Open Redirect via URL API Functions
Title source: llmDescription
Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence.
References (6)
Core 6
Core References
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2015/dsa-3200
Mailing List, Patch, VDB Entry mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/03/26/4
Patch, Third Party Advisory x_refsource_confirm
http://cgit.drupalcode.org/drupal/commit/includes/menu.inc?h=6.x&id=8ffc5db3c0ab926f3d4b2cf8bc51714c8c0f3c93
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/73219
Third Party Advisory x_refsource_confirm
http://cgit.drupalcode.org/drupal/commit/includes/common.inc?h=7.x&id=b44056d2f8e8c71d35c85ec5c2fb8f7c8a02d8a8
Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/SA-CORE-2015-001
Scores
CVSS v3
6.1
EPSS
0.0069
EPSS Percentile
71.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-601
Status
published
Products (38)
debian/debian_linux
8.0
debian/debian_linux
9.0
drupal/drupal
6.0 (10 CPE variants)
drupal/drupal
6.1
drupal/drupal
6.2
drupal/drupal
6.3
drupal/drupal
6.4
drupal/drupal
6.5
drupal/drupal
6.6
drupal/drupal
6.7
... and 28 more
Published
Sep 13, 2017
Tracked Since
Feb 18, 2026