User hash - Moderately critical - Cache poisoning - SA-CONTRIB-2021-030

Project: User hash
Date: 2021-September-22
Security risk: Moderately critical 12∕25
Vulnerability: Cache poisoning

Description

This module enables you to create an individual hash for each user. These hashes can be used for authentication instead of the user's password, e.g. for views exporters.

The module doesn't sufficiently invalidate page output when the page_cache module is used.

This vulnerability is mitigated by the fact that an attacker must have a user hash that grants access to specific content and the attack must be timed to the reset of the page cache.

Solution

Install the latest version:

If you use the user_hash module for Drupal 8 or 9, upgrade to User Hash 2.0.1