CVE-2010-3686

Published: Sep 29, 2010Modified: Apr 29, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

Affected (32)

Products: Drupal: Drupal · Peter Wolanin: Openid

1 product

1 product

Configuration A

27 vulnerable

Vulnerable Software	Affected Versions
Drupal Drupal	Version 6.0
Drupal Drupal	Version 6.0 beta1
Drupal Drupal	Version 6.0 beta2
Drupal Drupal	Version 6.0 beta3
Drupal Drupal	Version 6.0 beta4
Drupal Drupal	Version 6.0 dev
Drupal Drupal	Version 6.0 rc1
Drupal Drupal	Version 6.0 rc2
Drupal Drupal	Version 6.0 rc3
Drupal Drupal	Version 6.0 rc4
Drupal Drupal	Version 6.10
Drupal Drupal	Version 6.11
Drupal Drupal	Version 6.12
Drupal Drupal	Version 6.13
Drupal Drupal	Version 6.14
Drupal Drupal	Version 6.15
Drupal Drupal	Version 6.16
Drupal Drupal	Version 6.17
Drupal Drupal	Version 6.1
Drupal Drupal	Version 6.2
Drupal Drupal	Version 6.3
Drupal Drupal	Version 6.4
Drupal Drupal	Version 6.5
Drupal Drupal	Version 6.6
Drupal Drupal	Version 6.7
Drupal Drupal	Version 6.8
Drupal Drupal	Version 6.9

Configuration B

5 vulnerable

Vulnerable Software	Affected Versions
Peter Wolanin Openid	Version 5.x-1.0
Peter Wolanin Openid	Version 5.x-1.1
Peter Wolanin Openid	Version 5.x-1.2
Peter Wolanin Openid	Version 5.x-1.3
Peter Wolanin Openid	Version 5.x-1.x dev