Description
Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://drupal.org/node/1425084
Various Sources x_refsource_misc
http://openid.net/2011/05/05/attribute-exchange-security-alert/
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2013/dsa-2776
Scores
EPSS
0.0070
EPSS Percentile
72.3%
Details
CWE
CWE-200
Status
published
Products (26)
drupal/drupal
6.0 (10 CPE variants)
drupal/drupal
6.1
drupal/drupal
6.2
drupal/drupal
6.10
drupal/drupal
6.11
drupal/drupal
6.12
drupal/drupal
6.13
drupal/drupal
6.14
drupal/drupal
6.15
drupal/drupal
6.16
... and 16 more
Published
Oct 28, 2013
Tracked Since
Feb 18, 2026