This module enables you to allow login into the Drupal websites through an external provider over the OAuth 2.0 protocol.
The module sets a Drupal variable used for redirection based on unsanitised user input, leading to an Open Redirect vulnerability. It also fails to sanitise user input which is displayed as part of an error message by a test authentication endpoint which is accessible by anonymous users, leading to an XSS vulnerability.
Install the latest version:
- If you use the miniOrange OAuth Client module for Drupal 7.x, upgrade to miniOrange OAuth Client 7.x-1.21
- Drew Webber provisional security team member
- Gaurav Sood
- Drew Webber provisional security team member