Simplenews is careful to confirm the email address before activating a subscription. This prevents malicious subscription of other people and detects mistyped addresses.
However using the page /newsletter/subscriptions/{snid}/{timestamp}/{hash}
, the subscriber can alter their email address without confirmation, hence bypassing the above check. Since
#3037307: Improve experience for anonymous subscribers to modify existing subscriptions →
this page becomes much easier to access so this problem is more serious.
Note that Drupal core has the same bug 🐛 Use email verification when changing user email addresses Needs work /
Postponed
3.0
Code
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.