The OpenID module in Drupal 6.x prior to 6.18, and the OpenID module 5.x prior to 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote malicious users to bypass authentication by leveraging an assertion from an OpenID provider.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
drupal drupal 6.0 |
||
drupal drupal 6.1 |
||
drupal drupal 6.10 |
||
drupal drupal 6.11 |
||
drupal drupal 6.12 |
||
drupal drupal 6.9 |
||
drupal drupal 6.13 |
||
drupal drupal 6.15 |
||
drupal drupal 6.6 |
||
drupal drupal 6.8 |
||
drupal drupal 6.17 |
||
drupal drupal 6.2 |
||
drupal drupal 6.3 |
||
drupal drupal 6.4 |
||
drupal drupal 6.14 |
||
drupal drupal 6.16 |
||
drupal drupal 6.5 |
||
drupal drupal 6.7 |
||
peter wolanin openid 5.x-1.0 |
||
peter wolanin openid 5.x-1.1 |
||
peter wolanin openid 5.x-1.2 |
||
peter wolanin openid 5.x-1.x |
||
peter wolanin openid 5.x-1.3 |