DRUPAL-CONTRIB-2021-001

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/social/DRUPAL-CONTRIB-2021-001.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2021-001

Withdrawn

2026-03-18T18:00:07.410497Z

Published

2021-01-27T17:17:43Z

Modified

2026-03-18T18:00:07.410497Z

Summary

[none]

Details

The optional Social Auth Extra module enables you to use the single sign-on methods provided by Open Social e.g. Facebook, LinkedIn, Google and Twitter.

The module doesn't implement a proper cache strategy for anonymous users allowing the registration form to be cached with disclosed information in certain scenarios. The information is usually only available for logged-in users of the community.

This vulnerability is mitigated by the fact that social_auth_extra needs to be enabled, one of the single sign-on methods needs to be configured. There is no impact for regular registration without single sign-on.

Removing the single sign-on providers from configuration will allow this vulnerability to be blocked.

References

https://www.drupal.org/sa-contrib-2021-001

Credits

- Alexander Varwijk
- - https://www.drupal.org/user/1868952

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/social

Package

Name: drupal/social
Purl: pkg:composer/drupal/social

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

8.10.0

Database specific

{
    "constraint": "<8.10.0"
}

Type

ECOSYSTEM

Events

Introduced

9.0.0

Fixed

9.8.0

Database specific

{
    "constraint": ">=9.0.0 <9.8.0"
}

Database specific

affected_versions

"<8.10.0 || >=9.0.0 <9.8.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/social/DRUPAL-CONTRIB-2021-001.json"