View online: https://www.drupal.org/sa-contrib-2024-041
Project: Smart IP Ban [1] Date: 2024-September-18 Security risk: *Critical* 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass
Description: The Smart IP Ban module enables a site to automatically ban an IP address based upon too many failed authentications.
The module doesn't sufficiently protect access to certain paths provided by the module allowing a malicious user to view and modify the settings.
Solution: Install the latest version:
* If you use the Smart IP Ban module for Drupal 7.x, upgrade to Smart IP Ban 7.x-1.1 [3]
Reported By: * Shawn Gants [4]
Fixed By: * Sivaji Ganesh Jojodae [5]
Coordinated By: * Greg Knaddison [6] of the Drupal Security Team * Damien McKenna [7] of the Drupal Security Team * Juraj Nemec [8] of the Drupal Security Team
[1] https://www.drupal.org/project/smart_ip_ban [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/smart_ip_ban/releases/7.x-1.1 [4] https://www.drupal.org/user/2351786 [5] https://www.drupal.org/user/328724 [6] https://www.drupal.org/user/36762 [7] https://www.drupal.org/u/DamienMcKenna [8] https://www.drupal.org/u/poker10