Description
The LDAP Authentication module provides LDAP/Active Directory integration for Drupal 7, including server connection management via the ldap_servers submodule.
The module didn't sanitize or omit the $pass variable when logging bind failures: the watchdog call included %pass as a substitution token, writing the bind password in plaintext to the `watchdog` database table and the Recent log messages report ("admin/reports/dblog").
This vulnerability is mitigated by the fact that reading watchdog logs requires administrator-level access, limiting exposure to privileged users or anyone who gains read access to the Drupal database.
Solution
Install the latest version.
If you use the Lightweight Directory Access Protocol module for Drupal 7, upgrade to ldap 7.x-2.7: