This module provides a site administrator the ability to log users out after a specified time of inactivity. It is highly customizable and includes "site policies" by role to enforce log out.
The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting in a persistent Cross Site Scripting vulnerability (XSS).
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer autologout".
Install the latest version:
- If you use the Automated Logout module for Drupal 7, upgrade to Automated Logout 7.x-4.5
- Nancy Wichmann
- Ajit Shinde the module maintainer
- David Snopek of the Drupal Security Team