[IT-SecNots] [Security-news] Login Alert - Moderately critical - Access bypass - SA-CONTRIB-2019-013

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-013

Project: Login Alert [1]
Date: 2019-February-06
Security risk: *Moderately critical* 13∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
This module provides a field on user profiles which allows users to get a
notification when their account logs in to the site. The notification e-mail
includes a link which will terminate all sessions for that user. This is
useful in the case of unauthorised access to the account.

The module doesn't employ sufficient randomness in the generation of URLs,
which represents an Access Bypass vulnerability.

Solution: 
Install the latest version:

  * If you use the Login Alert module for Drupal 8.x, upgrade to Login Alert
    8.x-1.3 [3]

Also see the Login Alert [4] project page.

Reported By: 
  * Drew Webber  [5] provisional member of the Drupal Security Team

Fixed By: 
  * Arvind Verma  [6]

Coordinated By: 
  * Drew Webber  [7] provisional member of the Drupal Security Team
  * Greg Knaddison [8] member of the Drupal Security Team


[1] https://www.drupal.org/project/login_alert
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/3030545/
[4] https://www.drupal.org/project/login_alert
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/3307077
[7] https://www.drupal.org/user/255969
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news