Security advisories: Drupal core – Moderately critical – Open Redirect – SA-CORE-2020-003

Project:

Drupal core

Date:

2020-May-20

Security risk:

Moderately critical 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All

Vulnerability:

Open Redirect

Description:

Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.

The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function.

Other versions of Drupal core are not vulnerable.

Solution:

Install the latest version:

If you use Drupal 7.x upgrade to Drupal 7.70

Reported By:

vortfu

Fixed By:

Drew Webber of the Drupal Security Team
Fabian Franz
David Snopek of the Drupal Security Team
vortfu