Password Reset Landing Page (PRLP) - Highly critical - Access bypass - SA-CONTRIB-2020-021

Password Reset Landing Page (PRLP) - Highly critical - Access bypass - SA-CONTRIB-2020-021

Project: Password Reset Landing Page (PRLP)
Date: 2020-May-27
Security risk: Highly critical 20∕25 
Vulnerability: Access bypass

Description

This module enables you to force a password update when using password reset link.

The module doesn't sufficiently validate the login URL allowing a malicious user to use a specially crafted URL to log in as another user.

Solution

Install the latest version:

If you use the PRLP module for Drupal 8.x, upgrade to PRLP 8.x-1.5

Also see the Password Reset Landing Page (PRLP) project page.

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kind of Open Source applications, AI, bitcoins, but mostly about Drupal. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.