[Security-news] OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) - Critical - Cross Site Scripting - SA-CONTRIB-2024-067

security-news at drupal.org security-news at drupal.org
Wed Dec 4 17:21:12 UTC 2024 

View online: https://www.drupal.org/sa-contrib-2024-067

Project: OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client)
[1]
Date: 2024-December-04
Security risk: *Critical* 16 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Affected versions: >=3.0.0 <3.44.0 || >=4.0.0 <4.0.19
Description: 
This module enables you to authenticate users through an Identity Provider
(IdP) or OAuth Server, allowing them to log in to your Drupal site.

The module does not sufficiently escape query parameters sent to the callback
URL when displaying error messages, particularly if the code parameter is
missing in the response.

Solution: 
Install the latest version:

   * If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC
     Client) module 8.x-3.x for Drupal 9 and Drupal 10, upgrade to
     miniorange_oauth_client 8.x-3.44  [3].
   * If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC
     Client) module 4.x for Drupal 9, Drupal 10 and Drupal 11, upgrade to
     miniorange_oauth_client 4.0.19 [4].
   * If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC
     Client) module 7.x-1.x for Drupal 7, upgrade to miniorange_oauth_client
     7.x-1.355 [5].

Reported By: 
   * Borut Piletic [6]

Fixed By: 
   * Borut Piletic [7]
   * singh_ankit [8]
   * Ivo  Van Geertruyen [9] of the Drupal Security Team

Coordinated By: 
   * Greg Knaddison [10] of the Drupal Security Team
   * Damien McKenna [11] of the Drupal Security Team


[1] https://www.drupal.org/project/miniorange_oauth_client
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/miniorange_oauth_client/releases/8.x-3.44
[4] https://www.drupal.org/project/miniorange_oauth_client/releases/4.0.19
[5] https://www.drupal.org/project/miniorange_oauth_client/releases/7.x-1.355
[6] https://www.drupal.org/user/2714887
[7] https://www.drupal.org/user/2714887
[8] https://www.drupal.org/user/3723914
[9] https://www.drupal.org/user/383424
[10] https://www.drupal.org/user/36762
[11] https://www.drupal.org/user/108450

More information about the Security-news mailing list