• Advisory ID: DRUPAL-SA-CONTRIB-2012-085
  • Project: BrowserID (Mozilla Persona) (third-party module)
  • Version: 7.x
  • Date: 2012-May-23
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery (results in Privilege Escalation)


CSRF Issue:
CVE: CVE-2012-2713

BrowserID login theft:
CVE: CVE-2012-2714

The BrowserID module provides integration with BrowserID (also known as Mozilla Persona) -- a Mozilla project that lets users of your site quickly and easily log in without needing to remember a password specific to your site.

The module did not sufficiently validate requests for authentication to log in, potentially allowing a Cross Site Request Forgery (CSRF) attack and introducing the possibility that logging in to a malicious site with BrowserID could give that site the ability to log in to other websites using your BrowserID identity.

Versions affected

  • BrowserID (Mozilla Persona) 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed BrowserID (Mozilla Persona) module, there is nothing you need to do.


Install the latest version:

This version adds a dependency on the Session API module. Make sure you install Session API before upgrading to BrowserID 7.x-1.3.

Also see the BrowserID (Mozilla Persona) project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.