DRUPAL-CONTRIB-2021-011

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/social/DRUPAL-CONTRIB-2021-011.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2021-011

Withdrawn

2026-03-18T18:00:07.403100Z

Published

2021-06-02T16:51:10Z

Modified

2026-03-18T18:00:07.403100Z

Summary

[none]

Details

Open Social is a Drupal distribution for online communities.

The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.

This vulnerability is mitigated by the fact the module social_magic_login needs to be enabled.

References

https://www.drupal.org/sa-contrib-2021-011

Credits

- Alexander Varwijk
- - https://www.drupal.org/user/1868952
- Robert Ragas
- - https://www.drupal.org/user/2723261
- Ronald te Brake
- - https://www.drupal.org/user/2314038

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/social

Package

Name: drupal/social
Purl: pkg:composer/drupal/social

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

10.0.13

Database specific

{
    "constraint": "<10.0.13"
}

Type

ECOSYSTEM

Events

Introduced

10.1.0

Fixed

10.1.6

Database specific

{
    "constraint": ">=10.1.0 <10.1.6"
}

Database specific

affected_versions

"<10.0.13 || >=10.1.0 <10.1.6"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/social/DRUPAL-CONTRIB-2021-011.json"