DRUPAL-CONTRIB-2021-030

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/user_hash/DRUPAL-CONTRIB-2021-030.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2021-030

Published

2021-09-22T16:43:17Z

Modified

2025-12-10T23:31:16.075374Z

Summary

[none]

Details

This module enables you to create an individual hash for each user. These hashes can be used for authentication instead of the user's password, e.g. for views exporters.

The module doesn't sufficiently invalidate page output when the page_cache module is used.

This vulnerability is mitigated by the fact that an attacker must have a user hash that grants access to specific content and the attack must be timed to the reset of the page cache.

References

https://www.drupal.org/sa-contrib-2021-030

Credits

- Jürgen Haas
- - https://www.drupal.org/user/168924
- Lee Rowlands
- - https://www.drupal.org/user/395439

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/user_hash

Package

Name: drupal/user_hash
Purl: pkg:composer/drupal/user_hash

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.0.1

Database specific

{
    "constraint": "<2.0.1"
}

Database specific

affected_versions

"<2.0.1"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/user_hash/DRUPAL-CONTRIB-2021-030.json"