View online: https://www.drupal.org/sa-contrib-2023-045 Project: Mail Login [1] Date: 2023-September-13 Security risk: *Critical* 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: <2.8.0 Description:  This module enables users to log in by email address with minimal configurations. Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks. Solution:  Install the latest version: * If you use the mail_login module for Drupal 8 or 9, upgrade to Mail Login 8.x-2.8 [3] Reported By:  * Melisa Cordero [4] Fixed By:  * Melisa Cordero [5] * Mohammad AlQanneh [6] Coordinated By:  * Greg Knaddison [7] of the Drupal Security Team * xjm [8] of the Drupal Security Team [1] https://www.drupal.org/project/mail_login [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/mail_login/releases/8.x-2.8 [4] https://www.drupal.org/user/3655438 [5] https://www.drupal.org/user/3655438 [6] https://www.drupal.org/user/2833163 [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/xjm