- Advisory ID: DRUPAL-SA-CONTRIB-2015-126
- Project: Content Construction Kit (CCK) (third-party module)
- Version: 6.x
- Date: 2015-June-17
- Security risk: 9/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default
- Vulnerability: Open Redirect
The Content Construction Kit (CCK) project is a set of modules that allows you to add custom fields to nodes using a web browser.
CCK uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.
See also: SA-CORE-2015-002
CVE identifier(s) issued
- Content Construction Kit (CCK) 6.x-2.x versions prior to 6.x-2.10.
Drupal core is not affected. If you do not use the contributed Content Construction Kit (CCK) module, there is nothing you need to do.
Install the latest version:
- If you use the Content Construction Kit (CCK) module for Drupal 6.x, upgrade to Content Construction Kit (CCK) 6.x-2.10
Also see the Content Construction Kit (CCK) project page.
- Pere Orga of the Drupal Security Team
- Neil Drumm, module maintainer and member of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity