Description

The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

Remediation

References

CVE-2010-3686

Related Vulnerabilities

WordPress Plugin Advanced Custom Fields PRO Information Disclosure (6.0.2)

MediaWiki Improper Input Validation Vulnerability (CVE-2017-8815)

PHP Use After Free Vulnerability (CVE-2015-1351)

WebLogic CVE-2023-21842 Vulnerability (CVE-2023-21842)

WordPress Plugin Calculated Fields Form Cross-Site Scripting (1.0.81)

Severity

Medium

Classification

CVE-2010-3686 CWE-287

Tags

Missing Update Known Vulnerabilities