FreeBSD : drupal -- open redirect vulnerability (75f39413-7a00-11e5-a2a1-002590263bf5)

medium Nessus Plugin ID 86587

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Drupal development team reports :

The Overlay module in Drupal core displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against site users who have the 'Access the administrative overlay' permission, and that the Overlay module must be enabled.

An incomplete fix for this issue was released as part of SA-CORE-2015-002.

Solution

Update the affected package.

See Also

http://www.nessus.org/u?034c342d

https://www.openwall.com/lists/oss-security/2015/10/23/6

http://www.nessus.org/u?5bbad59c

Plugin Details

Severity: Medium

ID: 86587

File Name: freebsd_pkg_75f394137a0011e5a2a1002590263bf5.nasl

Version: 2.11

Type: local

Published: 10/26/2015

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:drupal7, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 10/24/2015

Vulnerability Publication Date: 10/21/2015

Reference Information

CVE: CVE-2015-7943