Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073

Project: Login DisableDate: 2024-December-11Security risk: Critical 16 ∕ 25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=2.0.0 <2.1.1Description: This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page.
The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass the protection offered by the module.
This vulnerability is mitigated by the fact that an attacker must already have a user account to log in. This bug therefore allows users to log in even if their login is disabled.Solution: Install the latest version:

The Drupal 7 version of the module is not affected.Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2024-073