Login Time Restriction - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-120

Project:

Date:

2025-December-03

Security risk:

Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All

Vulnerability:

Cross-Site Request Forgery

Affected versions:

<1.0.3

CVE IDs:

CVE-2025-13982

Description:

This module enables you to apply time-based login restrictions and display related warning or logout confirmation pages.

The module doesn't sufficiently protect its confirmation routes from cross-site request forgery (CSRF), allowing the logout confirmation route to be triggered without user interaction.

Solution:

Install the latest version:

If you use the Login Time Restriction module for Drupal, upgrade to Login Time Restriction v1.0.3.

Reported By:

Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By:

Kunal Singh (kunal_singh)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
Jess (xjm) of the Drupal Security Team

Contribution record

Login Time Restriction - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-120

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community