Drupal Security TeamDRUPAL-SA-CONTRIB-2015-115Chamilo integration - Less Critical - Open Redirect - SA-CONTRIB-2015-115
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
EPSS
Percentile
99.7%
Chamilo integration module integrates Drupal with Chamilo LMS.
The module has an Open Redirect vulnerability, it doesnβt sufficiently check passed parameters in the URL. An attacker could trick users to visit malicious sites without realizing it.
CVE identifier(s) issued
- CVE-2015-5503
Versions affected
- Chamilo integration 7.x-1.x versions prior to 7.x-1.2
Drupal core is not affected. If you do not use the contributed Chamilo integration module, there is nothing you need to do.
Solution
- If you use the Chamilo integration module for Drupal 7.x, upgrade to Chamilo integration 7.x-1.2
Also see the Chamilo integration project page.
Reported by
- Pere Orga of the Drupal Security Team
Fixed by
- Yannick Warnier the module maintainer
- Fernando Paredes GarcΓa the module maintainer
Coordinated by
- Pere Orga of the Drupal Security Team
References
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/chamilo
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/124205
www.drupal.org/user/125473
www.drupal.org/user/2301194
www.drupal.org/writing-secure-code
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
EPSS
Percentile
99.7%