Login One Time - Less Critical - Information Disclosure

Project

Date

May 20, 2026

Severity

Less Critical

Risk Score

7/25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All

Vulnerability

Information Disclosure

Affected versions

<7.x-2.11

Description

The Login One Time module provides one-time login links for user authentication. The module's "login_one_time_page()" function previously used "drupal_access_denied()" for invalid or expired login attempts, which provided different HTTP status codes and responses compared to other failure cases.

This inconsistency could allow attackers to distinguish between:
- Invalid/expired one-time login links for existing accounts
- Attempts with non-existent user IDs or inactive accounts

By analyzing the different responses, attackers could potentially enumerate valid user accounts on the system, which is a privacy and security concern.

Solution

Install the latest version.

If you use the Login One Time module for Drupal 7, upgrade to login_one_time 7.x-2.11:

Reported by

Ra Mänd (ram4nd)

Fixed by

Tag1 D7ES

Coordinated by

Tag1 D7ES
Damien McKenna (damienmckenna)