CVE-2024-13301 - XSS Vulnerability in Drupal OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) Explained

Summary:
CVE-2024-13301 is a Cross-Site Scripting (XSS) vulnerability found in the popular Drupal module “OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client)”. This security issue allows attackers to inject harmful scripts by taking advantage of improper input handling. If successful, the attacker’s code runs in the browser of users visiting the affected Drupal site. The vulnerability exists in versions from 3.. up to, but not including, 3.44., and from 4.. before 4..19.

What is Cross-Site Scripting (XSS)?

XSS is a type of web security bug where attackers trick a website into sending unsafe code (often JavaScript) to end users. When the user’s browser runs this malicious code, attackers can steal cookies, session data, or perform actions as the user without their knowledge.

Version 4: from 4.. up to (but not including) 4..19

> If you use any of these versions, you should update as soon as possible.

How Did This Happen?

The problem stems from improper neutralization, meaning user inputs were not being safely handled or sanitized when displayed on web pages. Usually, developers should ensure that any data sent to the webpage is "escaped" (so it’s displayed as text, not run as code). But in these vulnerable versions, some values could be used by the plugin and later put directly into HTML, leading to possible XSS.

Vulnerability Details

Let’s look at a hypothetical (but realistic) example to show what the vulnerable code might look like:

// Example vulnerable code (not actual code from plugin)
$name = $_GET['name'];  // Untrusted user input
echo "<div>Welcome, $name!</div>"; // Unsafely injecting input into HTML

If a user visits

https://example.com/?name=<script>alert('Hacked')</script>;

The page might actually render

<div>Welcome, <script>alert('Hacked')</script>!</div>

This causes the browser to run the attacker's script. In the real plugin, the point of injection might be tied to OAuth or OpenID configuration or error messages.

Exploit Scenario

An attacker can craft a URL or trick a user into clicking a malicious link with script code embedded in a query parameter or form field used by the OAuth/OIDC SSO module.

Example Attack URL

https://drupalsite.com/sso/login?state=<script>alert('XSS')</script>;

If the plugin failed to sanitize the state parameter, when a user visits the link during authentication, the injected script runs in the context of the Drupal site.

Data Theft: Read sensitive site data, including user info and authentication tokens.

- Widespread Attacks: Malicious scripts can automatically send more phishing links to others or change site settings.

How to Fix

Immediate Solution:
Upgrade your module to version 3.44.+ (for v3 releases) or 4..19+ (for v4 releases).
The maintainers have patched the issue in these versions.

Download here:
- Drupal OAuth & OpenID Connect SSO (Drupal.org)

Manual Patching Tip:

If you can’t upgrade immediately, you should escape any dynamic output, for example

echo "<div>Welcome, " . htmlspecialchars($name, ENT_QUOTES, 'UTF-8') . "!</div>";

But upgrading is always safest.

Links and References

- CVE-2024-13301 on CVE.org
- Drupal Security Advisory *(replace xxx with real advisory if known)*
- OAuth & OpenID Connect SSO module page
- OWASP XSS Basics

Conclusion

This vulnerability (CVE-2024-13301) is a good reminder about always keeping Drupal core and modules up to date—especially when dealing with authentication plugins. If you’re using the OAuth & OpenID Connect SSO module, update it right away to protect your users from XSS attacks.

If you want to double-check your site’s exposure, look for any error messages or dynamic text generated by the module and see if special characters can sneak into the HTML. Always sanitize output!

Timeline

Published on: 01/09/2025 21:15:28 UTC
Last modified on: 01/10/2025 17:15:16 UTC