Content Construction Kit up to 6.x-2.9 on Drupal destinations redirect
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.0 | $0-$5k | 0.00 |
Summary
A vulnerability identified as critical has been detected in Content Construction Kit up to 6.x-2.9 on Drupal. The affected element is an unknown function. The manipulation of the argument destinations leads to redirect. This vulnerability is listed as CVE-2015-5510. There is no available exploit. You should upgrade the affected component.
Details
A vulnerability, which was classified as critical, has been found in Content Construction Kit up to 6.x-2.9 on Drupal. This issue affects some unknown functionality. The manipulation of the argument destinations with an unknown input leads to a redirect vulnerability. Using CWE to declare the problem leads to CWE-601. A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
Open redirect vulnerability in the Content Construction Kit (CCK) 6.x-2.x before 6.x-2.10 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the destinations parameter, related to administration pages.
The weakness was presented 08/18/2015 (Website). It is possible to read the advisory at drupal.org. The identification of this vulnerability is CVE-2015-5510 since 07/10/2015. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1204.001 according to MITRE ATT&CK.
Upgrading to version 6.x-2.10 eliminates this vulnerability.
The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 75281†). Be aware that VulDB is the high quality source for vulnerability data.
Product
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 7.0
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: RedirectCWE: CWE-601
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Content Construction Kit 6.x-2.10
Timeline
06/17/2015 🔍07/10/2015 🔍
08/18/2015 🔍
08/18/2015 🔍
08/19/2015 🔍
10/18/2017 🔍
Sources
Advisory: drupal.orgStatus: Not defined
Confirmation: 🔍
CVE: CVE-2015-5510 (🔍)
GCVE (CVE): GCVE-0-2015-5510
GCVE (VulDB): GCVE-100-77303
SecurityFocus: 75281 - Drupal Content Construction Kit Module Open Redirection Vulnerability
Entry
Created: 08/19/2015 10:24Updated: 10/18/2017 11:51
Changes: 08/19/2015 10:24 (48), 10/18/2017 11:51 (5)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.