CVE-2016-3167

Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the "destination" parameter.

CVSS v3.0 7.4 HIGH
CVSS v2.0 6.4 MEDIUM

7.4^/10

CVSS v3.0 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Exploitability : 2.8 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

6.4^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:N

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.openwall.com/lists/oss-security/2016/02/24/19
http://www.debian.org/security/2016/dsa-3498
https://www.drupal.org/SA-CORE-2016-001	Patch Vendor Advisory
http://www.openwall.com/lists/oss-security/2016/03/15/10

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

OR	cpe:2.3:a:drupal:drupal:6.36:::::::*
	cpe:2.3:a:drupal:drupal:6.35:::::::*
	cpe:2.3:a:drupal:drupal:6.34:::::::*
	cpe:2.3:a:drupal:drupal:6.33:::::::*
	cpe:2.3:a:drupal:drupal:6.20:::::::*
	cpe:2.3:a:drupal:drupal:6.2:::::::*
	cpe:2.3:a:drupal:drupal:6.19:::::::*
	cpe:2.3:a:drupal:drupal:6.18:::::::*
	cpe:2.3:a:drupal:drupal:6.0:dev::::::
	cpe:2.3:a:drupal:drupal:6.0:beta4::::::
	cpe:2.3:a:drupal:drupal:6.0:beta3::::::
	cpe:2.3:a:drupal:drupal:6.0:beta2::::::
	cpe:2.3:a:drupal:drupal:6.14:::::::*
	cpe:2.3:a:drupal:drupal:6.24:::::::*
	cpe:2.3:a:drupal:drupal:6.13:::::::*
	cpe:2.3:a:drupal:drupal:6.25:::::::*
	cpe:2.3:a:drupal:drupal:6.12:::::::*
	cpe:2.3:a:drupal:drupal:6.32:::::::*
	cpe:2.3:a:drupal:drupal:6.0:rc3::::::
	cpe:2.3:a:drupal:drupal:6.4:::::::*
	cpe:2.3:a:drupal:drupal:6.11:::::::*
	cpe:2.3:a:drupal:drupal:6.26:::::::*
	cpe:2.3:a:drupal:drupal:6.30:::::::*
	cpe:2.3:a:drupal:drupal:6.22:::::::*
	cpe:2.3:a:drupal:drupal:6.8:::::::*
	cpe:2.3:a:drupal:drupal:6.27:::::::*
	cpe:2.3:a:drupal:drupal:6.28:::::::*
	cpe:2.3:a:drupal:drupal:6.6:::::::*
	cpe:2.3:a:drupal:drupal:6.16:::::::*
	cpe:2.3:a:drupal:drupal:6.0:rc1::::::
	cpe:2.3:a:drupal:drupal:6.29:::::::*
	cpe:2.3:a:drupal:drupal:6.37:::::::*
	cpe:2.3:a:drupal:drupal:6.9:::::::*
	cpe:2.3:a:drupal:drupal:6.0:rc2::::::
	cpe:2.3:a:drupal:drupal:6.0:rc4::::::
	cpe:2.3:a:drupal:drupal:6.7:::::::*
	cpe:2.3:a:drupal:drupal:6.1:::::::*
	cpe:2.3:a:drupal:drupal:6.21:::::::*
	cpe:2.3:a:drupal:drupal:6.17:::::::*
	cpe:2.3:a:drupal:drupal:6.5:::::::*
	cpe:2.3:a:drupal:drupal:6.31:::::::*
	cpe:2.3:a:drupal:drupal:6.10:::::::*
	cpe:2.3:a:drupal:drupal:6.23:::::::*
	cpe:2.3:a:drupal:drupal:6.15:::::::*
	cpe:2.3:a:drupal:drupal:6.3:::::::*

Configuration 2 (hide)

OR	cpe:2.3:o:debian:debian_linux:7.0:::::::*
	cpe:2.3:o:debian:debian_linux:8.0:::::::*

Information

Published : 2016-04-12 08:59

Updated : 2016-04-18 20:20

NVD link : CVE-2016-3167

Mitre link : CVE-2016-3167

JSON object : View

CWE

NVD-CWE-Other

Products Affected

debian

debian_linux

drupal

drupal

php

7.4 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

6.4 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2016-3167

7.4^/10

6.4^/10

Attach tags to `CVE-2016-3167`