DRUPAL-CONTRIB-2021-044

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/openid_connect_windows_aad/DRUPAL-CONTRIB-2021-044.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2021-044

Published

2021-11-17T15:45:07Z

Modified

2025-12-10T23:30:38.380183Z

Summary

[none]

Details

This module enables users to authenticate through their Microsoft Azure AD account.

The module does not sufficiently check authorization before updating user profile information in certain non-default configurations. This could lead a user being able to hijack another existing account.

This vulnerability is mitigated by the fact that an attacker must have knowledge of user accounts that have the administrator role or accounts with the 'Set a password for local authentication' permission. In addition the site must be configured with the 'Update email address in user profile' setting turned on.

References

https://www.drupal.org/sa-contrib-2021-044

Credits

- John Kingsnorth
- - https://www.drupal.org/user/2659819

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/openid_connect_windows_aad

Package

Name: drupal/openid_connect_windows_aad
Purl: pkg:composer/drupal/openid_connect_windows_aad

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.4.0

Database specific

{
    "constraint": "<1.4.0"
}

Database specific

affected_versions

"<1.4.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/openid_connect_windows_aad/DRUPAL-CONTRIB-2021-044.json"