Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-548-1 drupal7

Debian Security Advisory

DLA-548-1 drupal7 -- LTS security update

Date Reported:

11 Jul 2016

Affected Packages:

drupal7

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-7943.

More information:

It was discovered that there was an open redirect vulnerability in drupal7, a content management framework.

The Overlay module in Drupal core displays administrative pages as a layer over the current page (using JavaScript) rather than replacing the page in the browser window. The module did not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

For Debian 7 Wheezy, this issue has been fixed in drupal7 version 7.14-2+deb7u13.

We recommend that you upgrade your drupal7 packages.