Drupal BrowserID (Mozilla Persona) Module Multiple Security Vulnerabilities
BID:53673
CVE-2012-2714 |Info
Drupal BrowserID (Mozilla Persona) Module Multiple Security Vulnerabilities
| Bugtraq ID: | 53673 |
| Class: | Unknown |
| CVE: |
CVE-2012-2713 CVE-2012-2714 |
| Remote: | Yes |
| Local: | No |
| Published: | May 23 2012 12:00AM |
| Updated: | Aug 07 2012 08:42PM |
| Credit: | Isaac Sukin |
| Vulnerable: |
Drupal BrowserID (Mozilla Persona) 7.x-1.2 |
| Not Vulnerable: |
Drupal BrowserID (Mozilla Persona) 7.x-1.3 |
Discussion
Drupal BrowserID (Mozilla Persona) Module Multiple Security Vulnerabilities
The BrowserID (Mozilla Persona) module for Drupal is prone to a cross-site request-forgery vulnerability and a security-bypass vulnerability.
Attackers can exploit these issues to bypass security restrictions to obtain sensitive information or to perform unauthorized actions and gain access to the affected application; this may aid in launching further attacks.
BrowserID (Mozilla Persona) 7.x-1.x versions prior to 7.x-1.3 are vulnerable.
The BrowserID (Mozilla Persona) module for Drupal is prone to a cross-site request-forgery vulnerability and a security-bypass vulnerability.
Attackers can exploit these issues to bypass security restrictions to obtain sensitive information or to perform unauthorized actions and gain access to the affected application; this may aid in launching further attacks.
BrowserID (Mozilla Persona) 7.x-1.x versions prior to 7.x-1.3 are vulnerable.
Exploit / POC
Drupal BrowserID (Mozilla Persona) Module Multiple Security Vulnerabilities
Attackers can use a browser to exploit the security-bypass issue. To exploit cross-site scripting vulnerability attackers must trick an unsuspecting victim into following a malicious URI.
Attackers can use a browser to exploit the security-bypass issue. To exploit cross-site scripting vulnerability attackers must trick an unsuspecting victim into following a malicious URI.
Solution / Fix
Drupal BrowserID (Mozilla Persona) Module Multiple Security Vulnerabilities
Solution:
Updates are available. Please see the references for details.
Drupal BrowserID (Mozilla Persona) 7.x-1.2
Solution:
Updates are available. Please see the references for details.
Drupal BrowserID (Mozilla Persona) 7.x-1.2
-
Drupal browserid 7.x-1.3
https://drupal.org/node/1596464
References
Drupal BrowserID (Mozilla Persona) Module Multiple Security Vulnerabilities
References:
References:
- BrowserID (Mozilla Persona) Homepage (Drupal)
- Drupal Homepage (Drupal)
- SA-CONTRIB-2012-085 - BrowserID - Multiple Vulnerabilities (Drupal)