View online: https://www.drupal.org/sa-contrib-2023-048
Project: Mail Login [1] Date: 2023-October-04 Security risk: *Moderately critical* 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass
Affected versions: <2.9.0 Description: This module enables users to log in by email address with minimal configurations.
Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks.
A previous security advisory, SA-CONTRIB-2023-45 [3], was released for this issue, but that release did not successfully address the vulnerability. This security advisory and updated module version supersede the previous one.
Solution: Install the latest version:
* If you use the mail_login module for Drupal 8 or 9, upgrade to Mail Login 8.x-2.9 [4]
Reported By: * Melisa Cordero [5] * Emil Johnsson [6]
Fixed By: * Melisa Cordero [7] * Mohammad AlQanneh [8] * Lee Rowlands [9] of the Drupal Security Team * Emil Johnsson [10]
Coordinated By: * Greg Knaddison [11] of the Drupal Security Team * Drew Webber [12] of the Drupal Security Team * xjm [13] of the Drupal Security Team * Juraj Nemec [14] of the Drupal Security Team * Neil Drumm [15] of the Drupal Security Team
[1] https://www.drupal.org/project/mail_login [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/sa-contrib-2023-045 [4] https://www.drupal.org/project/mail_login/releases/8.x-2.9 [5] https://www.drupal.org/user/3655438 [6] https://www.drupal.org/user/1868992 [7] https://www.drupal.org/user/3655438 [8] https://www.drupal.org/user/2833163 [9] https://www.drupal.org/user/395439 [10] https://www.drupal.org/user/1868992 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/user/255969 [13] https://www.drupal.org/user/65776 [14] https://www.drupal.org/u/poker10 [15] https://www.drupal.org/u/drumm
-
security-news@drupal.org