View online: https://www.drupal.org/sa-contrib-2024-073
Project: Login Disable [1] Date: 2024-December-11 Security risk: *Critical* 16 ∕ 25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass
Affected versions: >=2.0.0 <2.1.1 Description: This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page.
The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass the protection offered by the module.
This vulnerability is mitigated by the fact that an attacker must already have a user account to log in. This bug therefore allows users to log in even if their login is disabled.
Solution: Install the latest version:
* If you use the Login Disable module for Drupal 9.x / 10.x, upgrade to Login Disable 2.1.1 [3]
The Drupal 7 version of the module is not affected.
Reported By: * e5sego [4]
Fixed By: * e5sego [5] * Sang Lostrie [6]
Coordinated By: * Ivo Van Geertruyen [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team * Benji Fisher [9] of the Drupal Security Team
[1] https://www.drupal.org/project/login_disable [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/login_disable/releases/2.1.1 [4] https://www.drupal.org/user/261590 [5] https://www.drupal.org/user/261590 [6] https://www.drupal.org/user/2727459 [7] https://www.drupal.org/u/mrbaileys [8] https://security.drupal.org/user/27 [9] https://www.drupal.org/u/benjifisher