Password Reset Landing Page (PRLP) - Highly critical - Access bypass - SA-CONTRIB-2020-021

Project: Password Reset Landing Page (PRLP)Date: 2020-May-27Security risk: Highly critical 20∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Access bypassDescription: This module enables you to force a password update when using password reset link.
The module doesn't sufficiently validate the login URL allowing a malicious user to use a specially crafted URL to log in as another user.
Solution: Install the latest version:

  • If you use the PRLP module for Drupal 8.x, upgrade to PRLP 8.x-1.5

Also see the Password Reset Landing Page (PRLP) project page.Reported By: 

Fixed By: 

Coordinated By: 

Path to article