7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.967 High
EPSS
Percentile
99.7%
CSRF Issue:
CVE: CVE-2012-2713
BrowserID login theft:
CVE: CVE-2012-2714
The BrowserID module provides integration with BrowserID (also known as Mozilla Persona) – a Mozilla project that lets users of your site quickly and easily log in without needing to remember a password specific to your site.
The module did not sufficiently validate requests for authentication to log in, potentially allowing a Cross Site Request Forgery (CSRF) attack and introducing the possibility that logging in to a malicious site with BrowserID could give that site the ability to log in to other websites using your BrowserID identity.
Drupal core is not affected. If you do not use the contributed BrowserID (Mozilla Persona) module, there is nothing you need to do.
Install the latest version:
This version adds a dependency on the Session API module. Make sure you install Session API before upgrading to BrowserID 7.x-1.3.
Also see the BrowserID (Mozilla Persona) project page.
drupal.org/contact
drupal.org/project/browserid
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/36762
drupal.org/writing-secure-code
drupal.org/node/1596464
drupal.org/project/session_api
drupal.org/user/1876458
drupal.org/user/201425
drupal.org/user/36762
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.967 High
EPSS
Percentile
99.7%