OAuth Client & OpenID Connect SSO | OAuth/OIDC Login - Critical - Cross Site Scripting - SA-CONTRIB-2024-067

Project:

OAuth Client & OpenID Connect SSO | OAuth/OIDC Login

Date:

2024-December-04

Security risk:

Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross Site Scripting

Affected versions:

>=3.0.0 <3.44.0 || >=4.0.0 <4.0.19

CVE IDs:

CVE-2024-13301

Description:

This module enables you to authenticate users through an Identity Provider (IdP) or OAuth Server, allowing them to log in to your Drupal site.

The module does not sufficiently escape query parameters sent to the callback URL when displaying error messages, particularly if the code parameter is missing in the response.

Solution:

Install the latest version:

If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) module 8.x-3.x for Drupal 9 and Drupal 10, upgrade to miniorange_oauth_client 8.x-3.44 .
If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) module 4.x for Drupal 9, Drupal 10 and Drupal 11, upgrade to miniorange_oauth_client 4.0.19.
If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) module 7.x-1.x for Drupal 7, upgrade to miniorange_oauth_client 7.x-1.355.

Reported By:

Borut Piletic

Fixed By:

Borut Piletic
singh_ankit
Ivo Van Geertruyen of the Drupal Security Team

Coordinated By:

Greg Knaddison of the Drupal Security Team
Damien McKenna of the Drupal Security Team

Contribution record

OAuth Client & OpenID Connect SSO | OAuth/OIDC Login - Critical - Cross Site Scripting - SA-CONTRIB-2024-067

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community