CVE-2026-3530
MEDIUM4.3EPSS 0.04%發布日:2026/3/4修改日:2026/3/4
也稱為:DRUPAL-CONTRIB-2026-025
描述
This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created. The module doesn't sufficiently validate certain fields coming from the identity provider, which could lead to SSRF and information disclosures. This vulnerability is mitigated by: - an attacker must have access to the identity provider to provide compromised data at the source profile. - a site must have specific field mappings configured
受影響套件(1)
- Packagist/drupal/openid_connectfrom 0, < 1.5.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| nvd | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |