-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| drupal/drupal | composer | >= 7.0, < 7.13 | 7.13 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper validation of the 'destination' parameter in Drupal's Form API. The functions drupal_get_destination() and drupal_goto() are core components of Drupal's redirection logic. drupal_get_destination() retrieves user-supplied 'destination' values without sufficient validation, and drupal_goto() executes the redirect. The lack of checks for internal URLs in these functions (prior to Drupal 7.13) allowed external redirects. This aligns with CWE-20 (input validation failure) and CWE-601 (open redirect), as described in the advisories. The Form API's reliance on these functions for post-submit redirection makes them the primary vectors.
A Semantic Attack on Google Gemini - Read the Latest Research