View online: https://www.drupal.org/sa-contrib-2020-021

Project: Password Reset Landing Page (PRLP) [1] Date: 2020-May-27 Security risk: *Highly critical* 20∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Access bypass

Description:  This module enables you to force a password update when using password reset link. The module doesn't sufficiently validate the login URL allowing a malicious user to use a specially crafted URL to log in as another user.

Solution:  Install the latest version:

* If you use the PRLP module for Drupal 8.x, upgrade to PRLP 8.x-1.5 [3]

Also see the Password Reset Landing Page (PRLP) [4] project page.

Reported By:  * Kyle Einecker [5] * Seth Hill [6]

Fixed By:  * Joseph Purcell [7] * Jitesh Doshi [8] * Christian Crawford [9] * Kyle Einecker [10]

Coordinated By:  * Greg Knaddison [11] of the Drupal Security Team

[1] https://www.drupal.org/project/prlp [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/prlp/releases/8.x-1.5 [4] https://www.drupal.org/project/prlp [5] https://www.drupal.org/user/2824963 [6] https://www.drupal.org/user/676480 [7] https://www.drupal.org/user/2944035 [8] https://www.drupal.org/user/1799550 [9] https://www.drupal.org/user/2888131 [10] https://www.drupal.org/user/2824963 [11] https://www.drupal.org/user/36762