CVE-2010-3686
Severity CVSS v4.0:
Pending analysis
Type:
CWE-287
Authentication Issues
Publication date:
29/09/2010
Last modified:
11/04/2025
Description
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
Impact
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:drupal:drupal:6.0:*:*:*:*:*:*:* | ||
cpe:2.3:a:drupal:drupal:6.0:beta1:*:*:*:*:*:* | ||
cpe:2.3:a:drupal:drupal:6.0:beta2:*:*:*:*:*:* | ||
cpe:2.3:a:drupal:drupal:6.0:beta3:*:*:*:*:*:* | ||
cpe:2.3:a:drupal:drupal:6.0:beta4:*:*:*:*:*:* | ||
cpe:2.3:a:drupal:drupal:6.0:dev:*:*:*:*:*:* | ||
cpe:2.3:a:drupal:drupal:6.0:rc1:*:*:*:*:*:* | ||
cpe:2.3:a:drupal:drupal:6.0:rc2:*:*:*:*:*:* | ||
cpe:2.3:a:drupal:drupal:6.0:rc3:*:*:*:*:*:* | ||
cpe:2.3:a:drupal:drupal:6.0:rc4:*:*:*:*:*:* | ||
cpe:2.3:a:drupal:drupal:6.1:*:*:*:*:*:*:* | ||
cpe:2.3:a:drupal:drupal:6.2:*:*:*:*:*:*:* | ||
cpe:2.3:a:drupal:drupal:6.3:*:*:*:*:*:*:* | ||
cpe:2.3:a:drupal:drupal:6.4:*:*:*:*:*:*:* | ||
cpe:2.3:a:drupal:drupal:6.5:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://drupal.org/node/880476
- http://drupal.org/node/880480
- http://marc.info/?l=oss-security&m=128418560705305&w=2
- http://marc.info/?l=oss-security&m=128440896914512&w=2
- http://www.debian.org/security/2010/dsa-2113
- http://www.securityfocus.com/bid/42388
- http://drupal.org/node/880476
- http://drupal.org/node/880480
- http://marc.info/?l=oss-security&m=128418560705305&w=2
- http://marc.info/?l=oss-security&m=128440896914512&w=2
- http://www.debian.org/security/2010/dsa-2113
- http://www.securityfocus.com/bid/42388