High severity7.4NVD Advisory· Published Apr 12, 2016· Updated May 6, 2026
CVE-2016-3167
CVE-2016-3167
Description
Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the "destination" parameter.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 6.0, < 6.38 | 6.38 |
drupal/drupalPackagist | >= 6.0, < 6.38 | 6.38 |
Affected products
47cpe:2.3:a:drupal:drupal:6.0:beta2:*:*:*:*:*:*+ 44 more
- cpe:2.3:a:drupal:drupal:6.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:dev:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.10:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.11:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.12:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.13:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.14:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.15:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.16:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.17:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.18:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.19:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.20:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.21:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.22:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.23:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.24:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.25:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.26:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.27:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.28:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.29:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.30:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.31:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.32:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.33:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.34:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.35:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.36:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.37:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.6:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.7:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.8:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:6.9:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- www.drupal.org/SA-CORE-2016-001nvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-gxwx-c7m8-f95hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-3167ghsaADVISORY
- www.debian.org/security/2016/dsa-3498nvdWEB
- www.openwall.com/lists/oss-security/2016/02/24/19nvdWEB
- www.openwall.com/lists/oss-security/2016/03/15/10nvdWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2016-3167.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2016-3167.yamlghsaWEB
News mentions
0No linked articles in our index yet.