CVE-2016-3164 — Drupal Open Redirect

Description

Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.

How to fix CVE-2016-3164

To remediate CVE-2016-3164, upgrade the affected package to a fixed version below.

Packagist/drupal/core—upgrade to 8.0.4 or later
—upgrade to 6.38 or later

Is CVE-2016-3164 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 8.0, < 8.0.4
>= 6.0, < 6.38

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-3164
PATCHgithub.com/drupal/drupal
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2016-3164.yaml
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2016-3164.yaml