Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2019-November-06
Vulnerability:
Insecure Session Management
Affected versions:
<6.5.0 || >=7.0.0 <7.1.0
Description:
Open Social is a Drupal distribution for online communities. The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.
This vulnerability is mitigated by the fact the module social_magic_login needs to be enabled.
Solution:
Install the latest version:
- If you use the Open Social distribution for Drupal 8.x-7.x, upgrade to open social 8.x-7.1
- If you use the Open Social distribution for Drupal 8.x-6.x, upgrade to open social 8.x-6.5
Alternatively, disable the module social_magic_login.
Also see the Open Social project page.
Reported By:
- Heine of the Drupal Security Team
Fixed By:
- Heine of the Drupal Security Team
- Alexander Varwijk
- Ronald te Brake
- Drew Webber of the Drupal Security Team
Coordinated By:
- Heine of the Drupal Security Team
