it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) - Critical - Cross Site Scripting - SA-CONTRIB-2024-067
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) - Critical - Cross Site Scripting - SA-CONTRIB-2024-067
- Date: Wed, 4 Dec 2024 17:21:12 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=IDWqqmei; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 554CB43555
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 5FE78804BF
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2024-067
Project: OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client)
[1]
Date: 2024-December-04
Security risk: *Critical* 16 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Affected versions: >=3.0.0 <3.44.0 || >=4.0.0 <4.0.19
Description:
This module enables you to authenticate users through an Identity Provider
(IdP) or OAuth Server, allowing them to log in to your Drupal site.
The module does not sufficiently escape query parameters sent to the callback
URL when displaying error messages, particularly if the code parameter is
missing in the response.
Solution:
Install the latest version:
* If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC
Client) module 8.x-3.x for Drupal 9 and Drupal 10, upgrade to
miniorange_oauth_client 8.x-3.44 [3].
* If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC
Client) module 4.x for Drupal 9, Drupal 10 and Drupal 11, upgrade to
miniorange_oauth_client 4.0.19 [4].
* If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC
Client) module 7.x-1.x for Drupal 7, upgrade to miniorange_oauth_client
7.x-1.355 [5].
Reported By:
* Borut Piletic [6]
Fixed By:
* Borut Piletic [7]
* singh_ankit [8]
* Ivo Van Geertruyen [9] of the Drupal Security Team
Coordinated By:
* Greg Knaddison [10] of the Drupal Security Team
* Damien McKenna [11] of the Drupal Security Team
[1] https://www.drupal.org/project/miniorange_oauth_client
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/miniorange_oauth_client/releases/8.x-3.44
[4] https://www.drupal.org/project/miniorange_oauth_client/releases/4.0.19
[5] https://www.drupal.org/project/miniorange_oauth_client/releases/7.x-1.355
[6] https://www.drupal.org/user/2714887
[7] https://www.drupal.org/user/2714887
[8] https://www.drupal.org/user/3723914
[9] https://www.drupal.org/user/383424
[10] https://www.drupal.org/user/36762
[11] https://www.drupal.org/user/108450
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) - Critical - Cross Site Scripting - SA-CONTRIB-2024-067, security-news, 04.12.2024
Archiv bereitgestellt durch MHonArc 2.6.19+.