OpenID impersonation in Drupal - #VU495
Published: September 16, 2016 / Updated: September 16, 2016
Vulnerability identifier: #VU495
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows one user access another user's account.
The weakness exists due to improper implementation of the OpenID Authentication 2.0 specification. In case of sharing the same OpenID 2.0 provider user can access account of another one.
Successful exploitation of the vulnerability allows to get access to another user's account.
The weakness exists due to improper implementation of the OpenID Authentication 2.0 specification. In case of sharing the same OpenID 2.0 provider user can access account of another one.
Successful exploitation of the vulnerability allows to get access to another user's account.