[Security-news] Mass Password Reset - Less critical - Insecure Randomness - SA-CONTRIB-2018-043
security-news at drupal.org
security-news at drupal.org
Wed Jun 27 18:25:15 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-043
Project: Mass Password Reset [1]
Version: 7.x-1.0
Date: 2018-June-27
Security risk: *Less critical* 9∕25
AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Insecure Randomness
Description:
This module enables you to reset passwords for all users based upon their
user role.
The module doesn't use a strong source of randomness, creating weak and
predictable passwords.
This vulnerability is mitigated by the fact that the site must be configured
to reveal the password to the attacker, which is a common configuration.
Solution:
Install the latest version:
* If you use the Mass Password Reset module for Drupal 7.x, upgrade to Mass
Password Reset 7.x-1.1 [3].
Also see the Mass Password Reset [4] project page.
Reported By:
* Greg Knaddison [5] of the Drupal Security Team
Fixed By:
* Greg Knaddison [6] of the Drupal Security Team
* Mark Shropshire [7]
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/mass_pwreset
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/mass_pwreset/releases/7.x-1.1
[4] https://www.drupal.org/project/mass_pwreset
[5] https://www.drupal.org/user/36762
[6] https://www.drupal.org/user/36762
[7] https://www.drupal.org/user/14767
[8] https://www.drupal.org/u/greggles
More information about the Security-news
mailing list