Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| drupal/drupal(Packagist) | 6.0 | 6.38 | N/A |
| drupal/drupal(Packagist) | 7.0 | 7.43 | N/A |
| drupal/drupal(Packagist) | 8.0 | 8.0.4 | N/A |
| drupal/core(Packagist) | 8.0 | 8.0.4 | N/A |
| drupal/core(Packagist) | 7.0 | 7.43 | N/A |
| drupal/core(Packagist) | 6.0 | 6.38 | N/A |
CVSS Metrics
