View online: https://www.drupal.org/sa-contrib-2018-043
Project: Mass Password Reset [1] Version: 7.x-1.0 Date: 2018-June-27 Security risk: *Less critical* 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Insecure Randomness
Description: This module enables you to reset passwords for all users based upon their user role.
The module doesn't use a strong source of randomness, creating weak and predictable passwords.
This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker, which is a common configuration.
Solution: Install the latest version:
* If you use the Mass Password Reset module for Drupal 7.x, upgrade to Mass Password Reset 7.x-1.1 [3].
Also see the Mass Password Reset [4] project page.
Reported By: * Greg Knaddison [5] of the Drupal Security Team
Fixed By: * Greg Knaddison [6] of the Drupal Security Team * Mark Shropshire [7]
Coordinated By: * Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/mass_pwreset [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/mass_pwreset/releases/7.x-1.1 [4] https://www.drupal.org/project/mass_pwreset [5] https://www.drupal.org/user/36762 [6] https://www.drupal.org/user/36762 [7] https://www.drupal.org/user/14767 [8] https://www.drupal.org/u/greggles