Login Sign Up

CVE-2025-13982

8.1 HIGH
Authentication Bypass CSRF

📋 TL;DR

A Cross-Site Request Forgery (CSRF) vulnerability in the Drupal Login Time Restriction module allows attackers to trick authenticated users into performing unintended actions. This affects Drupal sites using the Login Time Restriction module version 0.0.0 through 1.0.2. Site administrators and users with access to restricted login time settings are particularly vulnerable.

💻 Affected Systems

Products:
  • Drupal Login Time Restriction module
Versions: 0.0.0 through 1.0.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Drupal sites with the Login Time Restriction module installed and enabled.

📦 What is this software?

Login Time Restriction by Innoraft

View all CVEs affecting Login Time Restriction →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify login time restrictions for all users, potentially locking legitimate users out of the system or granting unauthorized access during restricted hours.

🟠

Likely Case

Attackers could modify login time settings for specific users or groups, disrupting normal operations and potentially enabling unauthorized access.

🟢

If Mitigated

With proper CSRF protections and user awareness, the risk is limited to authenticated sessions where users are tricked into visiting malicious sites while logged in.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking an authenticated user with appropriate permissions to visit a malicious website while logged into the Drupal site.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.3

Vendor Advisory: https://www.drupal.org/sa-contrib-2025-120

Restart Required: No

Instructions:

1. Update the Login Time Restriction module to version 1.0.3 or later via Drupal's update manager. 2. Clear Drupal caches after update. 3. Verify the update was successful by checking the module version.

🔧 Temporary Workarounds

Temporary module disable

linux

Disable the Login Time Restriction module until patched

drush pm-disable login_time_restriction

CSRF token validation

all

Implement custom CSRF protection for the module's forms

🧯 If You Can't Patch

  • Restrict access to users who can modify login time settings to only trusted administrators
  • Implement web application firewall rules to detect and block CSRF attempts

🔍 How to Verify

Check if Vulnerable:

Check if Login Time Restriction module is installed and version is between 0.0.0 and 1.0.2

Check Version:

drush pm-list | grep login_time_restriction

Verify Fix Applied:

Verify module version is 1.0.3 or later and test form submissions include CSRF tokens

📡 Detection & Monitoring

Log Indicators:

  • Unexpected modifications to login_time_restriction settings
  • Form submissions without proper CSRF tokens

Network Indicators:

  • HTTP POST requests to login time restriction endpoints without referrer validation

SIEM Query:

source="drupal" AND (event_type="form_submission" AND form_id="login_time_restriction_*") AND NOT csrf_token=*

📊 Metadata

CVE ID: CVE-2025-13982
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-352
EPSS Score: 0.02% exploit probability (3.5th percentile)
Published: January 28, 2026
Last Updated: February 19, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13982, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)