- Issue created by @bfuzze9898
Hello @bfuzze9898, thank you for pointing out the issue. We have fixed it in the latest version of the module - 5.1.6
- Status changed to Fixed
4 months ago 5:00am 22 August 2024
Users can set an arbitrary value in the destination cookie.
https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/user-c...
Add '?destination=r87.com/?foobar' to login url.
Login
Observer the cookie Drupal.visitor.destination is set to 'r87.com%2F%3Ffoobar'
Sanitize and/or validate the destination parameter before setting the cookie. If it is an external path it must be in trusted-host-patterns, otherwise it must be a valid internal path.
Fixed
5.1
Code
Hello @bfuzze9898, thank you for pointing out the issue. We have fixed it in the latest version of the module - 5.1.6