CVE-2010-3686

The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

Date published : 2010-09-29

http://www.securityfocus.com/bid/42388

http://drupal.org/node/880476