View online: https://www.drupal.org/sa-contrib-2025-120

Project: Login Time Restriction [1] Date: 2025-December-03 Security risk: *Moderately critical* 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All [2] Vulnerability: Cross-Site Request Forgery

Affected versions: <1.0.3 CVE IDs: CVE-2025-13982 Description:  This module enables you to apply time-based login restrictions and display related warning or logout confirmation pages.

The module doesn't sufficiently protect its confirmation routes from cross-site request forgery (CSRF), allowing the logout confirmation route to be triggered without user interaction.

Solution:  Install the latest version:

* If you use the Login Time Restriction module for Drupal, upgrade to Login Time Restriction v1.0.3 [3].

Reported By:  * Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security Team

Fixed By:  * Kunal Singh (kunal_singh) [5]

Coordinated By:  * Greg Knaddison (greggles) [6] of the Drupal Security Team * Juraj Nemec (poker10) [7] of the Drupal Security Team * Pierre Rudloff (prudloff) [8] provisional member of the Drupal Security Team * Jess (xjm) [9] of the Drupal Security Team

------------------------------------------------------------------------------ Contribution record [10]

[1] https://www.drupal.org/project/login_time_restriction [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/login_time_restriction/releases/1.0.3 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/kunal_singh [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/poker10 [8] https://www.drupal.org/u/prudloff [9] https://www.drupal.org/u/xjm [10] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....