CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
70.4%
This module enables you to customise the standard Drupal registration and login processes.
The module doesn’t filter user-supplied information from the URL resulting in a reflected Cross Site Scripting (XSS) vulnerability.
The module introduces a concept of a “pre-authorized role” which can have different permissions than the normal Drupal core authorized role. Logintoboggan usually removes permissions for a user if those permissions are in the “authorized user” role and not in the “pre-authorized role”. The module failed to remove those permissions for users in a pre-authorized state on all “Page Not Found” (i.e. 404) pages.
This vulnerability is mitigated by the fact that a site must use the “pre-authorized role” feature and an attacker would only gain permissions available to authenticated users and would only gain them on 404 pages which do not show private information in a default Drupal installation.
Drupal core is not affected. If you do not use the contributed LoginToboggan module, there is nothing you need to do.
Install the latest version:
Also see the LoginToboggan project page.
drupal.org/contact
drupal.org/project/logintoboggan
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/241220
drupal.org/writing-secure-code
twitter.com/drupalsecurity
www.drupal.org/user/1052318
www.drupal.org/user/110518
www.drupal.org/user/1899214
www.drupal.org/user/241220
www.drupal.org/user/243300