[Security-news] Login Alert - Moderately critical - Access bypass - SA-CONTRIB-2019-013
security-news at drupal.org
security-news at drupal.org
Wed Feb 6 18:40:59 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-013
Project: Login Alert [1]
Date: 2019-February-06
Security risk: *Moderately critical* 13∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
This module provides a field on user profiles which allows users to get a
notification when their account logs in to the site. The notification e-mail
includes a link which will terminate all sessions for that user. This is
useful in the case of unauthorised access to the account.
The module doesn't employ sufficient randomness in the generation of URLs,
which represents an Access Bypass vulnerability.
Solution:
Install the latest version:
* If you use the Login Alert module for Drupal 8.x, upgrade to Login Alert
8.x-1.3 [3]
Also see the Login Alert [4] project page.
Reported By:
* Drew Webber [5] provisional member of the Drupal Security Team
Fixed By:
* Arvind Verma [6]
Coordinated By:
* Drew Webber [7] provisional member of the Drupal Security Team
* Greg Knaddison [8] member of the Drupal Security Team
[1] https://www.drupal.org/project/login_alert
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/3030545/
[4] https://www.drupal.org/project/login_alert
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/3307077
[7] https://www.drupal.org/user/255969
[8] https://www.drupal.org/user/36762
More information about the Security-news
mailing list