CVE-2016-3167

Name of the Vulnerable Software and Affected Versions Drupal versions 6.x before 6.38

Description The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. This is achieved via a double-encoded URL in the destination parameter of the drupal goto function, specifically when used with PHP before 5.4.7.

Recommendations For Drupal versions 6.x before 6.38, update to version 6.38 or later to resolve the issue. As a temporary workaround, consider restricting access to the drupal goto function to minimize the risk of exploitation. Avoid using the destination parameter in the affected function until the issue is resolved.