CVE-2015-3234
Drupal 6.x < 6.36 and 7.x < 7.38 - Unauthenticated Account Takeover via OpenID Provider Spoofing
Title source: llmDescription
The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows remote attackers to log into other users' accounts by leveraging an OpenID identity from certain providers, as demonstrated by the Verisign, LiveJournal, and StackExchange providers.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161265.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/75294
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2015/dsa-3291
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161261.html
Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/SA-CORE-2015-002
Scores
EPSS
0.0050
EPSS Percentile
66.1%
Details
CWE
CWE-20
Status
published
Products (39)
debian/debian_linux
7.0
debian/debian_linux
8.0
drupal/drupal
6.0 (10 CPE variants)
drupal/drupal
6.1
drupal/drupal
6.2
drupal/drupal
6.3
drupal/drupal
6.4
drupal/drupal
6.5
drupal/drupal
6.6
drupal/drupal
6.7
... and 29 more
Published
Jun 22, 2015
Tracked Since
Feb 18, 2026