OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) - Critical - Cross Site Scripting - SA-CONTRIB-2024-067 - Security-news

4 Dec 2024


      View online: https://www.drupal.org/sa-contrib-2024-067
Project: OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client)
[1]
Date: 2024-December-04
Security risk: *Critical* 16 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Affected versions: >=3.0.0 <3.44.0 || >=4.0.0 <4.0.19
Description: 
This module enables you to authenticate users through an Identity Provider
(IdP) or OAuth Server, allowing them to log in to your Drupal site.
The module does not sufficiently escape query parameters sent to the callback
URL when displaying error messages, particularly if the code parameter is
missing in the response.
Solution: 
Install the latest version:
* If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC
     Client) module 8.x-3.x for Drupal 9 and Drupal 10, upgrade to
     miniorange_oauth_client 8.x-3.44  [3].
   * If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC
     Client) module 4.x for Drupal 9, Drupal 10 and Drupal 11, upgrade to
     miniorange_oauth_client 4.0.19 [4].
   * If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC
     Client) module 7.x-1.x for Drupal 7, upgrade to miniorange_oauth_client
     7.x-1.355 [5].
Reported By: 
   * Borut Piletic [6]
Fixed By: 
   * Borut Piletic [7]
   * singh_ankit [8]
   * Ivo  Van Geertruyen [9] of the Drupal Security Team
Coordinated By: 
   * Greg Knaddison [10] of the Drupal Security Team
   * Damien McKenna [11] of the Drupal Security Team
[1] https://www.drupal.org/project/miniorange_oauth_client
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/miniorange_oauth_client/releases/8.x-3.44
[4] https://www.drupal.org/project/miniorange_oauth_client/releases/4.0.19
[5] https://www.drupal.org/project/miniorange_oauth_client/releases/7.x-1.355
[6] https://www.drupal.org/user/2714887
[7] https://www.drupal.org/user/2714887
[8] https://www.drupal.org/user/3723914
[9] https://www.drupal.org/user/383424
[10] https://www.drupal.org/user/36762
[11] https://www.drupal.org/user/108450