DRUPAL-CONTRIB-2020-021

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/prlp/DRUPAL-CONTRIB-2020-021.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2020-021

Published

2020-05-27T15:47:10Z

Modified

2025-12-10T23:31:24.832916Z

Summary

[none]

Details

This module enables you to force a password update when using password reset link.
The module doesn't sufficiently validate the login URL allowing a malicious user to use a specially crafted URL to log in as another user.

References

https://www.drupal.org/sa-contrib-2020-021

Credits

- Kyle Einecker
- - https://www.drupal.org/user/2824963
- Seth Hill
- - https://www.drupal.org/user/676480

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/prlp

Package

Name: drupal/prlp
Purl: pkg:composer/drupal/prlp

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.5.0

Database specific

{
    "constraint": "<1.5.0"
}

Database specific

affected_versions

"<1.5.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/prlp/DRUPAL-CONTRIB-2020-021.json"