Description

The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

Remediation

References

CVE-2010-3685

Related Vulnerabilities

MySQL CVE-2012-0486 Vulnerability (CVE-2012-0486)

MySQL CVE-2022-21315 Vulnerability (CVE-2022-21315)

Ruby on Rails Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2012-3465)

ReviveAdserver Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2016-9126)

WordPress Plugin Business Hours Indicator Cross-Site Scripting (2.3.4)

Severity

Medium

Classification

CVE-2010-3685 CWE-287

Tags

Missing Update Known Vulnerabilities