GHSA-gfvf-2f25-f34r: Drupal Anonymous Open Redirect

May 15, 2024

Drupal core and contributed modules frequently use a “destination” query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

References

github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2018-10-17-3.yaml
github.com/advisories/GHSA-gfvf-2f25-f34r
github.com/drupal/core
www.drupal.org/sa-core-2018-006

Code Behaviors & Features

Detect and mitigate GHSA-gfvf-2f25-f34r with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →