Date: 
2018-June-27
Vulnerability: 
Insecure Randomness
Description: 

The Genpass module makes the password field optional (or hidden) on the add new user page (admin & registration). If the password field is not set during registration, the system generates a password.

The module doesn't use a strong source of randomness, creating weak and predictable passwords.

This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker which is a common configuration.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Solution: 

Install the latest version:

  • If you use the Genpass module for Drupal 7.x-1.x, upgrade to Genpass 7.x-1.1

Also see the Generate Password project page.

Reported By: 
Fixed By: 
Coordinated By: