[Security-news] Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073
security-news at drupal.org
security-news at drupal.org
Wed Dec 11 17:45:51 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-073
Project: Login Disable [1]
Date: 2024-December-11
Security risk: *Critical* 16 ∕ 25
AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Affected versions: >=2.0.0 <2.1.1
Description:
This module enables you to prevent existing users from logging in to your
Drupal site unless they know the secret key to add to the end of the ?q=user
login form page.
The Login Disable module does not correctly prevent a user with a disabled
login from logging in, allowing those users to by-pass the protection offered
by the module.
This vulnerability is mitigated by the fact that an attacker must already
have a user account to log in. This bug therefore allows users to log in even
if their login is disabled.
Solution:
Install the latest version:
* If you use the Login Disable module for Drupal 9.x / 10.x, upgrade to
Login Disable 2.1.1 [3]
The Drupal 7 version of the module is not affected.
Reported By:
* e5sego [4]
Fixed By:
* e5sego [5]
* Sang Lostrie [6]
Coordinated By:
* Ivo Van Geertruyen [7] of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team
* Benji Fisher [9] of the Drupal Security Team
[1] https://www.drupal.org/project/login_disable
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/login_disable/releases/2.1.1
[4] https://www.drupal.org/user/261590
[5] https://www.drupal.org/user/261590
[6] https://www.drupal.org/user/2727459
[7] https://www.drupal.org/u/mrbaileys
[8] https://security.drupal.org/user/27
[9] https://www.drupal.org/u/benjifisher
More information about the Security-news
mailing list