View online: https://www.drupal.org/sa-contrib-2019-016
Project: OAuth 2.0 Client Login (Single Sign-On) [1] Date: 2019-February-13 Security risk: *Critical* 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All [2] Vulnerability: Multiple Vulnerabilities
Description: This module enables you to allow login into the Drupal websites through an external provider over the OAuth 2.0 protocol.
The module sets a Drupal variable used for redirection based on unsanitised user input, leading to an Open Redirect vulnerability. It also fails to sanitise user input which is displayed as part of an error message by a test authentication endpoint which is accessible by anonymous users, leading to an XSS vulnerability.
Solution: Install the latest version:
* If you use the miniOrange OAuth Client module for Drupal 7.x, upgrade to miniOrange OAuth Client 7.x-1.21 [3]
Reported By: * Drew Webber [4]
Fixed By: * Drew Webber [5] provisional security team member * Gaurav Sood [6]
Coordinated By: * Drew Webber [7] provisional security team member
[1] https://www.drupal.org/project/miniorange_oauth_client [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/miniorange_oauth_client/releases/7.x-1.21 [4] https://www.drupal.org/user/255969 [5] https://www.drupal.org/user/255969 [6] https://www.drupal.org/user/3288491 [7] https://www.drupal.org/user/255969