Session Limit - Critical - Insecure Session Management - SA-CONTRIB-2018-072

Project: Session LimitVersion: 7.x-2.28.x-1.0-beta2Date: 2018-October-31Security risk: Critical 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Insecure Session ManagementDescription: The session limit module enables a site administrator to set a policy around the number of active sessions users of the site may have. This is typically set to one so that you can only be logged in once with the same user account.
In one configuration of the module, when a user logs in with another session elsewhere already active, the module asks the user which session should be closed before they can proceed with login. The module does not sufficiently tokenise the list of sessions so that the user's session keys can be found through inspection of the form.
This vulnerability is mitigated by the fact that an attacker must already be able to intercept the contents of the HTML page to exploit the issue. That ability to intercept may come from Cross Site Scripting. This makes a Cross Site Scripting vulnerability worse than it would normally be.Solution: Install the latest version:

  • If you use the Session Limit module for Drupal 7.x, upgrade to 7.x-2.3
  • If you use the Session Limit module for Drupal 8.x, upgrade to 8.x-1.0-beta3

Also see the Session Limit project page.Reported By: 

Fixed By: 

Coordinated By: 

Path to article