Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073
Project: Login DisableDate: 2024-December-11Security risk: Critical 16 ∕ 25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=2.0.0 <2.1.1Description: This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page.
The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass the protection offered by the module.
This vulnerability is mitigated by the fact that an attacker must already have a user account to log in. This bug therefore allows users to log in even if their login is disabled.Solution: Install the latest version:
- If you use the Login Disable module for Drupal 9.x / 10.x, upgrade to Login Disable 2.1.1
The Drupal 7 version of the module is not affected.Reported By:
Fixed By:
Coordinated By:
- Ivo Van Geertruyen of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Benji Fisher of the Drupal Security Team