Drupal Core Open Redirect

Description
  • Drupal Core allows overriding the redirect target using the destination query parameter. This allows an attacker to redirect the user to an external domain. For example, the following URL:
    http://www.drupal.local//?destination=https://attacker.com\@www.drupal.local/
    
    will redirect the user to the domain attacker.com.
Remediation
  • Upgrade to the latest version of Drupal.
    Block requests with multiple forward slashes that contain an external domain in the destination parameter.
References