{"id":"DRUPAL-CONTRIB-2019-075","details":"Open Social is a Drupal distribution for online communities. The included social\\_magic\\_login module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.\n\nThis vulnerability is mitigated by the fact the module social\\_magic\\_login needs to be enabled.","modified":"2026-03-18T18:00:07.409573Z","published":"2019-11-06T16:10:25Z","withdrawn":"2026-03-18T18:00:07.409573Z","references":[{"type":"WEB","url":"https://www.drupal.org/sa-contrib-2019-075"}],"affected":[{"package":{"name":"drupal/social","ecosystem":"Packagist:https://packages.drupal.org/8","purl":"pkg:composer/drupal/social"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.5.0"}],"database_specific":{"constraint":"\u003c6.5.0"}},{"type":"ECOSYSTEM","events":[{"introduced":"7.0.0"},{"fixed":"7.1.0"}],"database_specific":{"constraint":"\u003e=7.0.0 \u003c7.1.0"}}],"database_specific":{"affected_versions":"\u003c6.5.0 || \u003e=7.0.0 \u003c7.1.0","source":"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/social/DRUPAL-CONTRIB-2019-075.json"}}],"schema_version":"1.7.3","credits":[{"name":"Heine","contact":["https://www.drupal.org/user/17943"]}]}