5
CVE-2010-3686
- EPSS 2.37%
- Veröffentlicht 29.09.2010 17:00:05
- Zuletzt bearbeitet 16.06.2026 23:23:20
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Peter Wolanin ≫ Openid Version5.x-1.0
Peter Wolanin ≫ Openid Version5.x-1.1
Peter Wolanin ≫ Openid Version5.x-1.2
Peter Wolanin ≫ Openid Version5.x-1.3
Peter Wolanin ≫ Openid Version5.x-1.x Updatedev
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.37% | 0.816 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
http://drupal.org/node/880476
http://marc.info/?l=oss-security&m=128418560705305&w=2
http://marc.info/?l=oss-security&m=128440896914512&w=2
http://www.debian.org/security/2010/dsa-2113
http://drupal.org/node/880480
http://www.securityfocus.com/bid/42388