Launchpad.net

CVE 2012-4554

The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.

CVE-2012-4554 (Candidate) is related to these bugs:

Bug #1075455: SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure

Summary				In	Importance	Status
	1075455	SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure		drupal7 (Ubuntu)	Undecided	Fix Released
	1075455	SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure		drupal7 (Debian)	Unknown	Fix Released

Bug #1087497: Drupal7 SA-CORE-2012-003 Security Bugfix should backport to 12.04 and 12.10

Summary				In	Importance	Status
	1087497	Drupal7 SA-CORE-2012-003 Security Bugfix should backport to 12.04 and 12.10		drupal7 (Ubuntu)	Undecided	New

See the

CVE page on Mitre.org for more details.