{ "schema_version": "1.7.0", "id": "MGASA-2015-0121", "published": "2015-03-27T21:12:10Z", "modified": "2015-03-27T21:02:53Z", "summary": "Updated drupal packages fix security vulnerabilities", "details": "Password reset URLs can be forged under certain circumstances, allowing an\nattacker to gain access to another user's account without knowing the\naccount's password (CVE-2015-2559).\n\nUnder certain circumstances, malicious users can construct a URL that will\ntrick users into being redirected to a 3rd party website, thereby exposing\nthe users to potential social engineering attacks. In addition, several\nURL-related API functions in Drupal 6 and 7 can be tricked into passing\nthrough external URLs when not intending to, potentially leading to\nadditional open redirect vulnerabilities (CVE-2015-2749, CVE-2015-2750).\n", "upstream": [ "CVE-2015-2559", "CVE-2015-2749", "CVE-2015-2750" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2015-0121.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=15537" }, { "type": "WEB", "url": "https://www.drupal.org/SA-CORE-2015-001" }, { "type": "WEB", "url": "https://www.drupal.org/drupal-7.35" }, { "type": "WEB", "url": "https://www.drupal.org/drupal-7.35-release-notes" }, { "type": "WEB", "url": "http://openwall.com/lists/oss-security/2015/03/20/2" }, { "type": "WEB", "url": "http://openwall.com/lists/oss-security/2015/03/26/4" } ], "affected": [ { "package": { "ecosystem": "Mageia:4", "name": "drupal", "purl": "pkg:rpm/mageia/drupal?arch=source&distro=mageia-4" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "7.35-1.mga4" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }