[Security-news] OAuth 2.0 Client Login (Single Sign-On) - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-016
security-news at drupal.org
security-news at drupal.org
Wed Feb 13 19:46:28 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-016
Project: OAuth 2.0 Client Login (Single Sign-On) [1]
Date: 2019-February-13
Security risk: *Critical* 17∕25
AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:All [2]
Vulnerability: Multiple Vulnerabilities
Description:
This module enables you to allow login into the Drupal websites through an
external provider over the OAuth 2.0 protocol.
The module sets a Drupal variable used for redirection based on unsanitised
user input, leading to an Open Redirect vulnerability. It also fails to
sanitise user input which is displayed as part of an error message by a test
authentication endpoint which is accessible by anonymous users, leading to an
XSS vulnerability.
Solution:
Install the latest version:
* If you use the miniOrange OAuth Client module for Drupal 7.x, upgrade to
miniOrange OAuth Client 7.x-1.21 [3]
Reported By:
* Drew Webber [4]
Fixed By:
* Drew Webber [5] provisional security team member
* Gaurav Sood [6]
Coordinated By:
* Drew Webber [7] provisional security team member
[1] https://www.drupal.org/project/miniorange_oauth_client
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/miniorange_oauth_client/releases/7.x-1.21
[4] https://www.drupal.org/user/255969
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/3288491
[7] https://www.drupal.org/user/255969
More information about the Security-news
mailing list