CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-2049
https://notcve.org/view.php?id=CVE-2016-2049
01 Feb 2016 — examples/consumer/common.php in JanRain PHP OpenID library (aka php-openid) improperly checks the openid.realm parameter against the SERVER_NAME element in the SERVER superglobal array, which might allow remote attackers to hijack the authentication of arbitrary users via vectors involving a crafted HTTP Host header. examples/consumer/common.php en la librería JanRain PHP OpenID (también conocida como php-openid) verifica incorrectamente el parámetro openid.realm contra el elemento SERVER_NAME en el array s... • http://www.openwall.com/lists/oss-security/2016/01/24/2 • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1CVE-2013-1812 – Gentoo Linux Security Advisory 201405-14
https://notcve.org/view.php?id=CVE-2013-1812
12 Dec 2013 — The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack. El gem de ruby-openid anterior a la versión 2.2.2 para Ruby permite a proveedores de OpenID remotos provocar una denegación de servicio (consumo de CPU) a través de (1) un documento XRDS grande o (2) un ataque de XML Entity Expansion (XEE). A vulnerability in Ruby OpenID may lead to Denial of Service. Versions less ... • http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120204.html • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2013-4701
https://notcve.org/view.php?id=CVE-2013-4701
21 Aug 2013 — Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Auth/Yadis/XML.php en PHP OpenID Library v2.2.2 y anteriores permite a atacantes remotos leer archivos arbitrarios, enviar peticiones HTTP a los servidores de int... • http://jvn.jp/en/jp/JVN24713981/index.html •
CVSS: 7.5EPSS: 0%CPEs: 23EXPL: 0CVE-2012-2296
https://notcve.org/view.php?id=CVE-2012-2296
25 Jul 2012 — The Janrain Engage (formerly RPX) module for Drupal 6.x-1.x. 6.x-2.x before 6.x-2.2, and 7.x-2.x before 7.x-2.2 stores user profile data from Engage in session tables, which might allow remote attackers to obtain sensitive information by leveraging a separate vulnerability. El módulo para Drupal The Janrain Engage (formerly RPX) v6.x-1.x. v6.x-2.x antes de v6.x-2.2 y v7.x 2.x antes v7.x-2.2 almacena los datos de perfil de usuario de Engage en las tablas de sesión, lo que podría permitir a atacantes remotos ... • http://drupal.org/node/1515114 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2011-3707
https://notcve.org/view.php?id=CVE-2011-3707
23 Sep 2011 — JanRain PHP OpenID library (aka php-openid) 2.2.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by Auth/Yadis/Yadis.php and certain other files. JanRain PHP OpenID (también conocido como php-openid) v2.2.2 permite a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró... • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2011-0771
https://notcve.org/view.php?id=CVE-2011-0771
04 Feb 2011 — The Janrain Engage (formerly RPX) module 6.x-1.3 for Drupal does not validate the file for a profile image, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks and possibly execute arbitrary PHP code by causing a crafted avatar to be downloaded from an external login provider site. El módulo Janrain Engage (anteriormente RPX) versiones 6.x hasta 1.3 para Drupal, no comprueba el archivo para una imagen de perfil, lo que permite a los usuarios identificados remotos conducir a... • http://drupal.org/node/1033154 • CWE-20: Improper Input Validation •