Tag1 D7ES Security Advisories

The Login One Time module lacked flood control protection against brute force attacks on one-time login links, allowing attackers to make unlimited attempts to guess valid login parameters.

The module has been updated to use consistent error messaging for all login failure cases. Instead of using "drupal_access_denied()", the module now displays a generic error message: "You have tried to use a one-time login link that is invalid or has expired. Please use the log in form to supply your username and password." and redirects users to the login page.

The HybridAuth Social Login module contained a Server Side Request Forgery (SSRF) vulnerability in its user picture handling functionality, allowing attackers to force the server to make HTTP requests to arbitrary URLs by supplying a malicious picture URL through a controlled social identity provider.

The LDAP Authentication module logged the LDAP bind password in plaintext to Drupal's watchdog system whenever a non-anonymous bind failed, potentially exposing service account credentials to anyone with access to the site's log reports.

SAML SSO - Service Provider doesn't sufficiently block access, leading to a authentication bypass vulnerability.

The OpenID Connect module contained a Server Side Request Forgery (SSRF) vulnerability in its user picture handling functionality, allowing attackers to force the server to make HTTP requests to arbitrary URLs through malicious user picture URLs.

The OpenID Connect module introduced a prompt parameter configuration that, when misconfigured, could potentially weaken authentication security by allowing users to bypass certain authentication requirements through OpenID Connect identity providers.

The OpenID Connect module contained an email uniqueness validation vulnerability that allowed duplicate user accounts to be created with email addresses that differ only in case, potentially leading to account confusion and authentication bypass scenarios.

The User Alert module contained an Insecure Direct Object Reference (IDOR) vulnerability in its message dismissal endpoint, allowing authenticated users to mark any node as dismissed without proper access control checks.

The Login Disable module contained an access bypass vulnerability in its user login hook, allowing users to bypass the access key requirement through non-form login routes like Services or RESTful APIs.