{"id":"CVE-2021-32792","details":"mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when using `OIDCPreservePost On`.","modified":"2026-04-16T04:32:06.986947933Z","published":"2021-07-26T17:15:08.280Z","related":["ALSA-2022:1823","GHSA-458c-7pwg-3j7j","SUSE-SU-2021:3020-1","SUSE-SU-2021:3352-1","SUSE-SU-2025:4532-1","openSUSE-SU-2021:1277-1","openSUSE-SU-2021:3020-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00034.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/"},{"type":"ADVISORY","url":"https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9"},{"type":"FIX","url":"https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-458c-7pwg-3j7j"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://github.com/zmartzone/mod_auth_openidc/commit/00c315cb0c8ab77c67be4a2ac08a71a83ac58751"},{"type":"FIX","url":"https://github.com/zmartzone/mod_auth_openidc/commit/55ea0a085290cd2c8cdfdd960a230cbc38ba8b56"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openidc/mod_auth_openidc","events":[{"introduced":"0"},{"fixed":"e33cd488cb9ce027dae692e06767a0ba7ed5e1de"},{"fixed":"00c315cb0c8ab77c67be4a2ac08a71a83ac58751"},{"fixed":"55ea0a085290cd2c8cdfdd960a230cbc38ba8b56"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.4.9"}]}}],"versions":["2.3.11rc1","v1.5","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.5.5","v1.6.0","v1.7.0","v1.8.0","v1.8.1","v1.8.10","v1.8.2","v1.8.3","v1.8.4","v1.8.5","v1.8.6","v1.8.7","v1.8.8","v1.8.9","v2.0.0","v2.0.0rc1","v2.0.0rc4","v2.1.0","v2.1.1","v2.1.2","v2.1.3","v2.1.4","v2.1.5","v2.1.6","v2.2.0","v2.3.0","v2.3.0rc0","v2.3.0rc3","v2.3.1","v2.3.10","v2.3.10.1","v2.3.10.2","v2.3.11","v2.3.2","v2.3.3","v2.3.4","v2.3.5","v2.3.6","v2.3.7","v2.3.8","v2.3.9","v2.4.0","v2.4.0.1","v2.4.0.2","v2.4.0.3","v2.4.0.4","v2.4.1","v2.4.2","v2.4.2.1","v2.4.3","v2.4.4","v2.4.4.1","v2.4.5","v2.4.6","v2.4.7","v2.4.7.1","v2.4.7.2","v2.4.8.1","v2.4.8.2","v2.4.8.3","v2.4.8.4"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]}],"vanir_signatures":[{"signature_type":"Line","deprecated":false,"target":{"file":"src/mod_auth_openidc.c"},"signature_version":"v1","source":"https://github.com/openidc/mod_auth_openidc/commit/00c315cb0c8ab77c67be4a2ac08a71a83ac58751","id":"CVE-2021-32792-2ca80fa7","digest":{"line_hashes":["314472623974046352642912142804683208340","1491808797503525465831243959703973666","198004564357983767501042946622958992165"],"threshold":0.9}},{"deprecated":false,"target":{"file":"src/mod_auth_openidc.h"},"signature_type":"Line","signature_version":"v1","source":"https://github.com/openidc/mod_auth_openidc/commit/55ea0a085290cd2c8cdfdd960a230cbc38ba8b56","id":"CVE-2021-32792-3e92ccd2","digest":{"line_hashes":["126790944525078583180071603865154972295","137650979746716140781474846618354970485","41126000354448396496718263785188861327","206805887279959803728304487681803491049"],"threshold":0.9}},{"target":{"file":"src/mod_auth_openidc.c","function":"oidc_request_post_preserved_restore"},"signature_type":"Function","deprecated":false,"signature_version":"v1","source":"https://github.com/openidc/mod_auth_openidc/commit/00c315cb0c8ab77c67be4a2ac08a71a83ac58751","id":"CVE-2021-32792-9765b1e2","digest":{"function_hash":"32194573796516897377511631364803745687","length":1474}},{"target":{"file":"src/util.c"},"signature_type":"Line","deprecated":false,"signature_version":"v1","source":"https://github.com/openidc/mod_auth_openidc/commit/55ea0a085290cd2c8cdfdd960a230cbc38ba8b56","id":"CVE-2021-32792-9d2adc4e","digest":{"line_hashes":["189670386551080629756125295111748153231","35038611237783248290866212508015774975","219442016696800481728242289168819934663"],"threshold":0.9}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32792.json","vanir_signatures_modified":"2026-04-11T17:25:56Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}