Main Vulnerability Database SB2016091608

SB2016091608 - OpenID authentication bypass in Drupal Drupal

Published: September 16, 2016

Security Bulletin ID SB2016091608

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) OpenID authentication bypass (CVE-ID: N/A)

The vulnerability allows malicious sites to access users accounts on the sites using the OpenID module.
The weakness is caused by improper OpenID 2.0 protocol verification that allows malicious sites to steal users credentials, get permission from OpenID provider and obtain accounts of people whose data were stolen.
Successful exploitation of the vulnerability leads to hijack of users credentials and access to their accounts containing personal information.

Remediation

Install update from vendor's website.

References

https://www.drupal.org/node/880476