View online: https://www.drupal.org/sa-contrib-2020-021
Project: Password Reset Landing Page (PRLP) [1] Date: 2020-May-27 Security risk: *Highly critical* 20∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Access bypass
Description: This module enables you to force a password update when using password reset link. The module doesn't sufficiently validate the login URL allowing a malicious user to use a specially crafted URL to log in as another user.
Solution: Install the latest version:
* If you use the PRLP module for Drupal 8.x, upgrade to PRLP 8.x-1.5 [3]
Also see the Password Reset Landing Page (PRLP) [4] project page.
Reported By: * Kyle Einecker [5] * Seth Hill [6]
Fixed By: * Joseph Purcell [7] * Jitesh Doshi [8] * Christian Crawford [9] * Kyle Einecker [10]
Coordinated By: * Greg Knaddison [11] of the Drupal Security Team
[1] https://www.drupal.org/project/prlp [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/prlp/releases/8.x-1.5 [4] https://www.drupal.org/project/prlp [5] https://www.drupal.org/user/2824963 [6] https://www.drupal.org/user/676480 [7] https://www.drupal.org/user/2944035 [8] https://www.drupal.org/user/1799550 [9] https://www.drupal.org/user/2888131 [10] https://www.drupal.org/user/2824963 [11] https://www.drupal.org/user/36762