Executive Summary

Informations
NameCVE-2010-3686First vendor Publication2010-09-29
VendorCveLast vendor Modification2010-09-30

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Cvss Base Score5Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3686

CWE : Common Weakness Enumeration

idName
CWE-287Improper Authentication

CPE : Common Platform Enumeration

TypeDescriptionCount
Application27
Application5

OpenVAS Exploits

DateDescription
2010-10-10Name : Debian Security Advisory DSA 2113-1 (drupal6)
File : nvt/deb_2113_1.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
68295Drupal OpenID Module Field Signing Weakness Assertion Leveraging Remote Authe...

Nessus® Vulnerability Scanner

DateDescription
2010-09-21Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2113.nasl - Type : ACT_GATHER_INFO

Internal Sources (Detail)

SourceUrl
BIDhttp://www.securityfocus.com/bid/42388
CONFIRMhttp://drupal.org/node/880476
http://drupal.org/node/880480
DEBIANhttp://www.debian.org/security/2010/dsa-2113
MLISThttp://marc.info/?l=oss-security&m=128418560705305&w=2
http://marc.info/?l=oss-security&m=128440896914512&w=2

Alert History

If you want to see full details history, please login or register.
0
1
DateInformations
2014-02-17 10:57:47
  • Multiple Updates
2013-05-10 23:33:56
  • Multiple Updates