Description
Confirmation forms in Drupal 7.x before 7.52 make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors.
References (3)
Core 3
Core References
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2016/dsa-3718
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/94367
Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/SA-CORE-2016-005
Scores
CVSS v3
6.8
EPSS
0.0012
EPSS Percentile
30.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
Details
CWE
CWE-601
Status
published
Products (35)
drupal/core
7.0 - 7.52Packagist
drupal/drupal
7.0 (16 CPE variants)
drupal/drupal
7.1
drupal/drupal
7.2
drupal/drupal
7.3
drupal/drupal
7.4
drupal/drupal
7.10
drupal/drupal
7.11
drupal/drupal
7.12
drupal/drupal
7.13
... and 25 more
Published
Nov 25, 2016
Tracked Since
Feb 18, 2026