Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2018-June-27
Vulnerability:
Insecure Randomness
Description:
This module enables you to reset passwords for all users based upon their user role.
The module doesn't use a strong source of randomness, creating weak and predictable passwords.
This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker, which is a common configuration.
Solution:
Install the latest version:
- If you use the Mass Password Reset module for Drupal 7.x, upgrade to Mass Password Reset 7.x-1.1.
Also see the Mass Password Reset project page.
Reported By:
- Greg Knaddison of the Drupal Security Team
Fixed By:
- Greg Knaddison of the Drupal Security Team
- Mark Shropshire
Coordinated By:
- Greg Knaddison of the Drupal Security Team
