[arch-security] [ASA-201503-18] drupal: multiple issues
anthraxx at archlinux.org
Fri Mar 20 14:51:42 UTC 2015
Arch Linux Security Advisory ASA-201503-18
Date : 2015-03-20
CVE-ID : CVE-2015-2559
Package : drupal
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package drupal before version 7.35-1 is vulnerable to access bypass
and open redirects.
Upgrade to 7.35-1.
# pacman -Syu "drupal>=7.35-1"
The problems have been fixed upstream in version 7.35.
- CVE-2015-2559 (access bypass)
Password reset URLs can be forged under certain circumstances, allowing
an attacker to gain access to another user's account without knowing the
In Drupal 7, this vulnerability is mitigated by the fact that it can
only be exploited on sites where accounts have been imported or
programmatically edited in a way that results in the password hash in
the database being the same for multiple user accounts.
- None (open redirect)
Under certain circumstances, malicious users can use the destination URL
parameter to construct a URL that will trick users into being redirected
to a 3rd party website, thereby exposing the users to potential social
A remote attacker may gain access to another user's account or take
advantage of open redirect issues to trick users into being redirected
to a 3rd party website.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security