Session Limit - Critical - Insecure Session Management - SA-CONTRIB-2018-072

Project: Session Limit
Version: 7.x-2.28.x-1.0-beta2
Date: 2018-October-31
Security risk: *Critical* 15∕25
Vulnerability: Insecure Session Management


The session limit module enables a site administrator to set a policy around
the number of active sessions users of the site may have. This is typically
set to one so that you can only be logged in once with the same user account.

In one configuration of the module, when a user logs in with another session
elsewhere already active, the module asks the user which session should be
closed before they can proceed with login. The module does not sufficiently
tokenize the list of sessions so that the user's session keys can be found
through inspection of the form.

This vulnerability is mitigated by the fact that an attacker must already be
able to intercept the contents of the HTML page to exploit the issue. That
ability to intercept may come from Cross Site Scripting. This makes a Cross
Site Scripting vulnerability worse than it would normally be.


Install the latest version:

* If you use the Session Limit module for Drupal 7.x, upgrade to 7.x-2.3
* If you use the Session Limit module for Drupal 8.x, upgrade to 8.x-1.0-beta3

Also see the Session Limit project page.

Add new comment