cbcvebase.
CVE-2012-4554
published 2012-11-11

CVE-2012-4554: The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.

PriorityP342medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
15.81%
96.5th percentile
The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.

Affected

16 ranges
VendorProductVersion rangeFixed in
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal
drupaldrupal

Detection & IOCsextracted from sources · hover to see the quote

versionDrupal 7.15
versionDrupal 7.2
  • Detect crafted DOCTYPE declarations in XRDS files returned by remote OpenID servers, which may indicate an XXE injection attempt targeting the Drupal OpenID module.
  • Monitor Drupal OpenID authentication flows for responses containing DOCTYPE declarations with SYSTEM or PUBLIC entity references, which are characteristic of XXE payloads used to read arbitrary files.
  • ·Vulnerability only affects Drupal 7.x installations with the OpenID module explicitly enabled; sites without OpenID enabled are not affected.
  • ·The attack is triggered by a remote OpenID server returning a malicious XRDS file; exploitation requires the victim Drupal site to initiate an OpenID authentication request to an attacker-controlled endpoint.
  • ·Fixed in Drupal 7.16; versions 7.x before 7.16 are vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.