Insufficient Session Expiration vulnerability in Drupal Persistent Login allows Forceful Browsing.This issue affects Persistent Login: from 0.0.0 before 1.8.0, from 2.0.* before 2.2.2.
The vulnerability consists in the fact that user sessions are not properly invalidated after their expiration or logout, which is characteristic of CWE-613. An attacker can exploit the Forceful Browsing technique — which is an attempt to directly access protected resources using still active, although formally invalid session tokens or persistent login cookies. In practice, this means that even after a user logs out or the intended session time expires, the persistent login mechanism does not effectively invalidate the issued tokens.
An unauthenticated attacker can gain unauthorized access to another user's account and perform actions on their behalf, leading to violations of confidentiality, integrity, and data availability. In the case of session hijacking of an account with high privileges, complete takeover of the Drupal application is possible.
The Persistent Login module should be updated to version 1.8.0 or later (for the 1.x branch) or to version 2.2.2 or later (for the 2.x branch). Detailed information is available in the Drupal security advisory: https://www.drupal.org/sa-contrib-2024-044.
Drupal Persistent Login module in versions from 0.0.0 before 1.8.0 and in versions of the 2.0.x branch before 2.2.2.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPersistent Login Project Persistent Login
APPPersistent Login Project< 1.8.02.0.0 – 2.1.1 (bez)2.2.0 – 2.2.2 (bez)