The OpenID module in Drupal 6.x prior to 6.36 and 7.x prior to 7.38 allows remote malicious users to log into other users' accounts by leveraging an OpenID identity from certain providers, as demonstrated by the Verisign, LiveJournal, and StackExchange providers.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
drupal drupal 7.0 |
||
drupal drupal 7.10 |
||
drupal drupal 7.11 |
||
drupal drupal 7.18 |
||
drupal drupal 7.19 |
||
drupal drupal 7.25 |
||
drupal drupal 7.26 |
||
drupal drupal 7.35 |
||
drupal drupal 7.36 |
||
drupal drupal 7.9 |
||
drupal drupal 6.0 |
||
drupal drupal 7.1 |
||
drupal drupal 7.16 |
||
drupal drupal 7.17 |
||
drupal drupal 7.23 |
||
drupal drupal 7.24 |
||
drupal drupal 7.33 |
||
drupal drupal 7.34 |
||
drupal drupal 7.7 |
||
drupal drupal 7.8 |
||
drupal drupal 6.13 |
||
drupal drupal 6.14 |
||
drupal drupal 6.20 |
||
drupal drupal 6.21 |
||
drupal drupal 6.28 |
||
drupal drupal 6.29 |
||
drupal drupal 6.4 |
||
drupal drupal 6.5 |
||
drupal drupal 6.15 |
||
drupal drupal 6.16 |
||
drupal drupal 6.22 |
||
drupal drupal 6.23 |
||
drupal drupal 6.3 |
||
drupal drupal 6.30 |
||
drupal drupal 6.31 |
||
drupal drupal 6.6 |
||
drupal drupal 6.7 |
||
drupal drupal 7.14 |
||
drupal drupal 7.15 |
||
drupal drupal 7.21 |
||
drupal drupal 7.22 |
||
drupal drupal 7.29 |
||
drupal drupal 7.3 |
||
drupal drupal 7.30 |
||
drupal drupal 7.5 |
||
drupal drupal 7.6 |
||
drupal drupal 6.11 |
||
drupal drupal 6.12 |
||
drupal drupal 6.19 |
||
drupal drupal 6.2 |
||
drupal drupal 6.26 |
||
drupal drupal 6.27 |
||
drupal drupal 6.34 |
||
drupal drupal 6.35 |
||
drupal drupal 7.12 |
||
drupal drupal 7.13 |
||
drupal drupal 7.2 |
||
drupal drupal 7.20 |
||
drupal drupal 7.27 |
||
drupal drupal 7.28 |
||
drupal drupal 7.37 |
||
drupal drupal 7.4 |
||
drupal drupal 6.1 |
||
drupal drupal 6.10 |
||
drupal drupal 6.17 |
||
drupal drupal 6.18 |
||
drupal drupal 6.24 |
||
drupal drupal 6.25 |
||
drupal drupal 6.32 |
||
drupal drupal 6.33 |
||
drupal drupal 6.8 |
||
drupal drupal 6.9 |
||
debian debian linux 7.0 |
||
debian debian linux 8.0 |
Verisign, LiveJournal and StackExchange members are your unknown admins
Drupal has shuttered a flaw in its implementation of OpenID that allows attackers to log in as web site administrators. The flaw (CVE-2015-3234) is the most critical of four and affects versions six and seven of the content management system. Drupal's security team say attackers can target unpatched systems if they hold an OpenID account. "A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their a...