View online: https://www.drupal.org/sa-contrib-2023-045
Project: Mail Login [1] Date: 2023-September-13 Security risk: *Critical* 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass
Affected versions: <2.8.0 Description: This module enables users to log in by email address with minimal configurations.
Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks.
Solution: Install the latest version:
* If you use the mail_login module for Drupal 8 or 9, upgrade to Mail Login 8.x-2.8 [3]
Reported By: * Melisa Cordero [4]
Fixed By: * Melisa Cordero [5] * Mohammad AlQanneh [6]
Coordinated By: * Greg Knaddison [7] of the Drupal Security Team * xjm [8] of the Drupal Security Team
[1] https://www.drupal.org/project/mail_login [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/mail_login/releases/8.x-2.8 [4] https://www.drupal.org/user/3655438 [5] https://www.drupal.org/user/3655438 [6] https://www.drupal.org/user/2833163 [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/xjm