DRUPAL-CONTRIB-2019-075

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/social/DRUPAL-CONTRIB-2019-075.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2019-075
Withdrawn
2026-03-18T18:00:07.409573Z
Published
2019-11-06T16:10:25Z
Modified
2026-03-18T18:00:07.409573Z
Summary
[none]
Details

Open Social is a Drupal distribution for online communities. The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.

This vulnerability is mitigated by the fact the module social_magic_login needs to be enabled.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/social

Package

Name
drupal/social
Purl
pkg:composer/drupal/social

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.5.0
Database specific
{
    "constraint": "<6.5.0"
}
Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.1.0
Database specific
{
    "constraint": ">=7.0.0 <7.1.0"
}

Database specific

affected_versions
"<6.5.0 || >=7.0.0 <7.1.0"
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/social/DRUPAL-CONTRIB-2019-075.json"