Vulnerabilities > Janrain

DATE CVE VULNERABILITY TITLE RISK
2016-02-01 CVE-2016-2049 Improper Access Control vulnerability in Janrain PHP-Openid
examples/consumer/common.php in JanRain PHP OpenID library (aka php-openid) improperly checks the openid.realm parameter against the SERVER_NAME element in the SERVER superglobal array, which might allow remote attackers to hijack the authentication of arbitrary users via vectors involving a crafted HTTP Host header.
network
janrain CWE-284
6.8
2013-12-12 CVE-2013-1812 Resource Management Errors vulnerability in multiple products
The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack.
4.3
2013-08-21 CVE-2013-4701 XML External Entity Injection vulnerability in Janrain PHP-Openid 2.2.2
Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
network
low complexity
janrain
7.5
2012-07-25 CVE-2012-2296 Information Exposure vulnerability in Janrain RPX
The Janrain Engage (formerly RPX) module for Drupal 6.x-1.x.
network
low complexity
janrain drupal CWE-200
5.0
2011-09-23 CVE-2011-3707 Information Exposure vulnerability in Janrain PHP-Openid 2.2.2
JanRain PHP OpenID library (aka php-openid) 2.2.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by Auth/Yadis/Yadis.php and certain other files.
network
low complexity
janrain CWE-200
5.0
2011-02-04 CVE-2011-0771 Improper Input Validation vulnerability in Janrain RPX 6.X1.3
The Janrain Engage (formerly RPX) module 6.x-1.3 for Drupal does not validate the file for a profile image, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks and possibly execute arbitrary PHP code by causing a crafted avatar to be downloaded from an external login provider site.
6.8