DRUPAL-CONTRIB-2024-067

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/miniorange_oauth_client/DRUPAL-CONTRIB-2024-067.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-067

Aliases

CVE-2024-13301

Published

2024-12-04T14:40:50Z

Modified

2025-12-10T23:41:33.217494Z

Summary

[none]

Details

This module enables you to authenticate users through an Identity Provider (IdP) or OAuth Server, allowing them to log in to your Drupal site.

The module does not sufficiently escape query parameters sent to the callback URL when displaying error messages, particularly if the code parameter is missing in the response.

References

https://www.drupal.org/sa-contrib-2024-067

Credits

- Borut Piletic
- - https://www.drupal.org/user/2714887

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/miniorange_oauth_client

Package

Name: drupal/miniorange_oauth_client
Purl: pkg:composer/drupal/miniorange_oauth_client

Affected ranges

Type

ECOSYSTEM

Events

Introduced

3.32.0

Fixed

3.44.0

Database specific

{
    "constraint": ">=3.32.0 <3.44.0"
}

Type

ECOSYSTEM

Events

Introduced

4.0.1

Fixed

4.0.19

Database specific

{
    "constraint": ">=4.0.1 <4.0.19"
}

Database specific

patched

true

affected_versions

">=3.32.0 <3.44.0 || >=4.0.1 <4.0.19"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/miniorange_oauth_client/DRUPAL-CONTRIB-2024-067.json"