[HIGH] Open redirect via double-encoded 'destination' parameter

PKSA-hhyw-n4y2-tjwh CVE-2016-3167 GHSA-gxwx-c7m8-f95h

Affected package: drupal/drupal

Affected version: >=8.0,<8.0.4

Reported by:
FriendsOfPHP/security-advisories, GitHub