CVE-2013-4552
drupalauth < 1.2.1 - Unauthenticated Authentication Bypass via User Cookie
Title source: llmDescription
lib/Auth/Source/External.php in the drupalauth module before 1.2.2 for simpleSAMLphp allows remote attackers to authenticate as an arbitrary user via the user name (uid) in a cookie.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://code.google.com/p/drupalauth/issues/detail?id=9
Patch mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/11/05/1
Patch mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/11/08/6
Scores
EPSS
0.0143
EPSS Percentile
69.7%
Details
CWE
CWE-287
Status
published
Products (1)
drupalauth_project/drupalauth
< 1.2.1
Published
May 13, 2014
Tracked Since
Feb 18, 2026