CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:N/I:P/A:N
EPSS
Percentile
99.7%
Shibboleth authentication module allows users to log in and get permissions based on federated (SAML2) authentication.
The module didn’t filter the text that is displayed as a login link.
This vulnerability was mitigated by the fact that an attacker must have a role with the permission Administer blocks.
Drupal core is not affected. If you do not use the contributed Shibboleth authentication module, there is nothing you need to do.
Also see the Shibboleth authentication project page.
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/shib_auth
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/mlhess
www.drupal.org/user/192687
www.drupal.org/user/250470
www.drupal.org/writing-secure-code