Unrated severityNVD Advisory· Published Nov 16, 2014· Updated Jun 17, 2026
CVE-2014-2684
CVE-2014-2684
Description
The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 does not verify that the openid_op_endpoint value identifies the same Identity Provider as the provider used in the association handle, which allows remote attackers to bypass authentication and spoof arbitrary OpenID identities by using a malicious OpenID Provider that generates OpenID tokens with arbitrary identifier and claimed_id values.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
4cpe:2.3:a:zend:zendopenid:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:zend:zendopenid:*:*:*:*:*:*:*:*range: <=2.0.1
- (no CPE)range: <2.0.2
Patches
Vulnerability mechanics
References
6News mentions
0No linked articles in our index yet.