Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Date:
2019-February-13
Vulnerability:
Multiple Vulnerabilities
Description:
This module enables you to allow login into the Drupal websites through an external provider over the OAuth 2.0 protocol.
The module sets a Drupal variable used for redirection based on unsanitised user input, leading to an Open Redirect vulnerability. It also fails to sanitise user input which is displayed as part of an error message by a test authentication endpoint which is accessible by anonymous users, leading to an XSS vulnerability.
Solution:
Install the latest version:
- If you use the miniOrange OAuth Client module for Drupal 7.x, upgrade to miniOrange OAuth Client 7.x-1.21
Reported By:
Fixed By:
- Drew Webber provisional security team member
- Gaurav Sood
Coordinated By:
- Drew Webber provisional security team member
