Drupal LDAP Integration - Multiple Vulnerabilities



The LDAP Integration module enables users to authenticate against LDAP

The module does not properly implement confirmation pages for the LDAP
server activation/deactivation which could lead to a Cross Site Request
Forgery (CSRF) attack. The user defined server name is not properly
escaped on the administration pages making it vulnerable to a cross site
scripting (XSS) attack.
User LDAP data can be viewed by un-authorized users, as it is not
properly access controlled before being displayed on user profile pages.
Additionally some user management access rules were ignored during the
authentication process.
Versions affected

* LDAP Integration module versions for Drupal 6.x prior to LDAP
Integration 6.x-1.0-beta2
* LDAP Integration module versions for Drupal 5.x prior to LDAP
Integration 5.x-1.5
* LDAP Integration module versions for Drupal 4.7.x are now unsupported.

Drupal core is not affected. If you do not use the contributed LDAP
Integration module, there is nothing you need to do."

It is recommended that users update their Drupal LDAP modules if
affected by this vulnerability.