Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1182940 (CVE-2015-1051) - CVE-2015-1051 drupal7-context: open redirect vulnerability (SA-CONTRIB-2015-004)
Summary: CVE-2015-1051 drupal7-context: open redirect vulnerability (SA-CONTRIB-2015-004)
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2015-1051
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1182941 1182942 1182943 1182944 1182945
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-16 09:25 UTC by Vasyl Kaigorodov
Modified: 2020-05-20 21:15 UTC (History)
10 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2020-05-20 21:15:28 UTC
Embargoed:


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-01-16 09:25:06 UTC
It was reported [1] that Context UI module wasn't checking for external URLs in the HTTP GET destination parameter when redirecting users that are activating/deactivating the Context UI inline editor dialog, thereby leading to an Open Redirect vulnerability.

This vulnerability is mitigated by the fact that the victim must have the permission "administer contexts" and that Context UI module must be enabled.

[1]: https://www.drupal.org/node/2403351

Comment 2 Vasyl Kaigorodov 2015-01-16 09:27:14 UTC
Created drupal6-context tracking bugs for this issue:

Affects: fedora-all [bug 1182941]
Affects: epel-all [bug 1182943]

Comment 3 Vasyl Kaigorodov 2015-01-16 09:27:17 UTC
Created drupal7-context tracking bugs for this issue:

Affects: fedora-all [bug 1182942]
Affects: epel-all [bug 1182944]

Comment 4 Fedora Update System 2015-01-28 19:55:22 UTC
drupal7-context-3.6-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2015-01-28 20:00:42 UTC
drupal7-context-3.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2015-01-28 21:38:54 UTC
drupal7-context-3.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2015-01-28 21:45:13 UTC
drupal7-context-3.6-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Peter Borsa 2015-04-23 06:19:24 UTC
Hi Vasyl!

Can we close this issue because the updated modules are in stable repositories?

Comment 9 Vasyl Kaigorodov 2015-04-23 07:56:19 UTC
(In reply to Peter Borsa from comment #8)
> Hi Vasyl!
> 
> Can we close this issue because the updated modules are in stable
> repositories?

Hi Peter,

This issue also affects OpenShift Online, which is not yet fixed - this bug should remain open until then.

Comment 10 Peter Borsa 2015-04-23 07:58:57 UTC
Hi,

Okay, thanks!

Comment 11 Product Security DevOps Team 2020-05-20 21:15:28 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.