Password Reset Landing Page (PRLP) - Highly critical - Access bypass - SA-CONTRIB-2020-021
Project: Password Reset Landing Page (PRLP) Date: 2020-May-27 Security risk: Highly critical 20∕25 Vulnerability: Access bypass
This module enables you to force a password update when using password reset link.
The module doesn't sufficiently validate the login URL allowing a malicious user to use a specially crafted URL to log in as another user.
Install the latest version:
If you use the PRLP module for Drupal 8.x, upgrade to PRLP 8.x-1.5
Also see the Password Reset Landing Page (PRLP) project page.