-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from improper validation of redirect URLs. Drupal's drupal_goto() function in includes/common.inc is the core mechanism for processing redirects. Prior to Drupal 7.70, this function relied on url_is_external() for validation, which could be bypassed using protocol-relative URLs (e.g., '//example.com') or improperly sanitized user input from the 'destination' parameter. The lack of strict whitelist-based validation for internal URLs allowed attackers to craft malicious redirects. This aligns with CWE-601 and the described open redirect behavior.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| drupal/core | composer | >= 7.0.0, < 7.70 | 7.70 |
| drupal/drupal | composer | >= 7.0.0, < 7.70 | 7.70 |