Anonymous subscriber can change email address without confirmation

Created on 11 July 2021, over 3 years ago
Updated 2 August 2023, over 1 year ago

Problem/Motivation

Simplenews is careful to confirm the email address before activating a subscription. This prevents malicious subscription of other people and detects mistyped addresses.

However using the page /newsletter/subscriptions/{snid}/{timestamp}/{hash}, the subscriber can alter their email address without confirmation, hence bypassing the above check. Since #3037307: Improve experience for anonymous subscribers to modify existing subscriptions this page becomes much easier to access so this problem is more serious.

Note that Drupal core has the same bug 🐛 Use email verification when changing user email addresses Needs work /

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Postponed

Version

3.0

Component

Code

Created by

🇬🇧United Kingdom adamps

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024