Login Sign Up

CVE-2012-2714

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in the Drupal BrowserID (Mozilla Persona) module allows remote attackers to hijack user authentication sessions by manipulating the audience identifier parameter. Attackers can impersonate any user account on affected Drupal sites. All Drupal sites using the vulnerable BrowserID module versions are affected.

💻 Affected Systems

Products:
  • Drupal BrowserID (Mozilla Persona) module
Versions: 7.x-1.x before 7.x-1.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Drupal sites with the BrowserID module enabled and configured for authentication.

📦 What is this software?

Browserid by Browserid Project

View all CVEs affecting Browserid →

Browserid by Browserid Project

View all CVEs affecting Browserid →

Browserid by Browserid Project

View all CVEs affecting Browserid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise where attackers gain administrative privileges, access sensitive data, modify content, and potentially pivot to other systems.

🟠

Likely Case

Account takeover of regular users leading to unauthorized access to personal data, content manipulation, and privilege escalation.

🟢

If Mitigated

Limited impact with proper authentication monitoring, session management, and network segmentation in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is well-documented with public proof-of-concept available, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.x-1.3

Vendor Advisory: http://drupal.org/node/1597414

Restart Required: No

Instructions:

1. Update the BrowserID module to version 7.x-1.3 or later. 2. Navigate to Drupal admin panel. 3. Go to Modules section. 4. Update the BrowserID module. 5. Clear Drupal cache.

🔧 Temporary Workarounds

Disable BrowserID Module

linux

Temporarily disable the vulnerable module until patching is possible

drush pm-disable browserid

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure to authentication endpoints
  • Enable detailed authentication logging and monitor for suspicious authentication patterns

🔍 How to Verify

Check if Vulnerable:

Check Drupal modules list for BrowserID module version. Vulnerable if version is 7.x-1.0, 7.x-1.1, or 7.x-1.2.

Check Version:

drush pm-list | grep browserid

Verify Fix Applied:

Confirm BrowserID module version is 7.x-1.3 or later in Drupal modules administration page.

📡 Detection & Monitoring

Log Indicators:

  • Multiple authentication attempts from same IP with different user agents
  • Unusual authentication patterns in Drupal watchdog logs
  • Failed authentication attempts followed by successful logins from same source

Network Indicators:

  • Unusual traffic to /browserid endpoints
  • Authentication requests with manipulated audience parameters

SIEM Query:

source="drupal" AND (event_type="user_login" OR event_type="authentication") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2012-2714
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
Published: January 9, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2012-2714, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)