Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2017-November-29
Vulnerability:
Access bypass
Description:
This module enables you to integrate the Domain module with other popular Drupal modules. The Domain Integration Login Restrict sub-module enables you to restrict access to a domain based on the assigned domains on a user.
The Domain Integration Login Restrict sub-module doesn't sufficiently check these restrictions when using one-time logins.
This vulnerability is mitigated by the fact that an attacker must have an active account on one of the domains.
Solution:
Install the latest version:
- If you use the Domain Integration module for Drupal 7.x, upgrade to Domain Integration 7.x-1.2
Reported By:
Fixed By:
- Dominique Climenti
- Len Swaneveld the module maintainer
- Niels de Feyter the module maintainer
- David Rothstein of the Drupal Security Team
- Michael Hess of the Drupal Security Team
Coordinated By:
- David Rothstein of the Drupal Security Team
