Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Date:
2021-November-17
Vulnerability:
Access Bypass
Affected versions:
<1.4.0
Description:
This module enables users to authenticate through their Microsoft Azure AD account.
The module does not sufficiently check authorization before updating user profile information in certain non-default configurations. This could lead a user being able to hijack another existing account.
This vulnerability is mitigated by the fact that an attacker must have knowledge of user accounts that have the administrator role or accounts with the 'Set a password for local authentication' permission. In addition the site must be configured with the 'Update email address in user profile' setting turned on.
Solution:
Install the latest version:
- If you use the OpenID Connect Microsoft Azure Active Directory client module 7.x-1.x, upgrade to OpenID Connect Microsoft Azure Active Directory client 7.x-1.2
- If you use the OpenID Connect Microsoft Azure Active Directory client module 8.x-1.x, upgrade to OpenID Connect Microsoft Azure Active Directory client 8.x-1.4
Reported By:
Fixed By:
- John Kingsnorth
- Lee Rowlands of the Drupal Security Team
- Jesse Payne
- Fabian de Rijk
Coordinated By:
- Greg Knaddison of the Drupal Security Team
