Description

The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

Remediation

References

CVE-2010-3686

Related Vulnerabilities

Apache HTTP Server Other Vulnerability (CVE-2001-0042)

phpBB Permissions, Privileges, and Access Controls Vulnerability (CVE-2010-1627)

WordPress Plugin Hunk External Links Cross-Site Scripting (3.0.5)

MySQL Other Vulnerability (CVE-2009-4019)

WordPress 5.0.x Multiple Vulnerabilities (5.0 - 5.0.19)

Severity

Medium

Classification

CVE-2010-3686 CWE-287

Tags

Missing Update Known Vulnerabilities