Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2019-February-06
Vulnerability:
Access bypass
Affected versions:
<1.3.0
Description:
This module provides a field on user profiles which allows users to get a notification when their account logs in to the site. The notification e-mail includes a link which will terminate all sessions for that user. This is useful in the case of unauthorised access to the account.
The module doesn't employ sufficient randomness in the generation of URLs, which represents an Access Bypass vulnerability.
Solution:
Install the latest version:
- If you use the Login Alert module for Drupal 8.x, upgrade to Login Alert 8.x-1.3
Also see the Login Alert project page.
Reported By:
- Drew Webber provisional member of the Drupal Security Team
Fixed By:
Coordinated By:
- Drew Webber provisional member of the Drupal Security Team
- Greg Knaddison member of the Drupal Security Team
