-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from improper validation of URLs in the language switcher block. The locale_language_switcher_url() function in Drupal 7's locale module was responsible for building language-switch URLs. It used the current path or untrusted 'destination' parameters without sufficient sanitization, enabling attackers to craft malicious URLs that redirect users to external sites. The fix in 7.57 likely added validation to ensure URLs are internal. The connection between the language switcher mechanics and the CWE-601 classification strongly implicates this function.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| drupal/core | composer | >= 7.0, < 7.57 | 7.57 |
| drupal/drupal | composer | >= 7.0, < 7.57 | 7.57 |
Ongoing coverage of React2Shell