Open Social - Critical - Authentication Bypass - SA-CONTRIB-2021-011

Project: Open SocialDate: 2021-June-02Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Authentication BypassDescription: Open Social is a Drupal distribution for online communities.
The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.
This vulnerability is mitigated by the fact the module social_magic_login needs to be enabled.Solution: Install the latest version of Open Social:

Alternatively, disable the module social_magic_login.Reported By: 

Fixed By: 

Coordinated By: 

Path to article