Advisories ยป MGASA-2015-0121

Updated drupal packages fix security vulnerabilities

Publication date: 27 Mar 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2015-2559 , CVE-2015-2749 , CVE-2015-2750


Password reset URLs can be forged under certain circumstances, allowing an
attacker to gain access to another user's account without knowing the
account's password (CVE-2015-2559).

Under certain circumstances, malicious users can construct a URL that will
trick users into being redirected to a 3rd party website, thereby exposing
the users to potential social engineering attacks. In addition, several
URL-related API functions in Drupal 6 and 7 can be tricked into passing
through external URLs when not intending to, potentially leading to
additional open redirect vulnerabilities (CVE-2015-2749, CVE-2015-2750).