Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2024-October-02
Vulnerability:
Access bypass
Affected versions:
<1.8.0 || >=2.2.0 <2.2.2 || 2.0.* || 2.1.*
CVE IDs:
CVE-2024-13280
Description:
This module enables users to remain logged in separately from session timeouts.
The module doesn't sufficiently check a user's disabled status when validating cookies.
This vulnerability is mitigated by the fact that an attacker must have an unexpired cookie from a previous successful login.
Solution:
Install the latest version:
- If you use the Persistent Login 8.x-1.x, upgrade to Persistent Login 8.x-1.8
- If you use the Persistent Login 2.x, upgrade to Persistent Login 2.2.2
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- Drew Webber of the Drupal Security Team
