"It has been a pleasure to work with Casey, Rick and Phil from Ricochet. We were initially faced with a dip in productivity on our project due to some team member's contributing to DrupalCon Munich. Casey and team were able to step in, ramp up, and start contributing to solutions immediately. When our team members returned from Munich, we decided the Ricochet guys were too valuable and helpful to let go, so we have kept them on as members of the team until launch.
—Suzy Bates, Four Kitchens

Mail Login - Critical - Access bypass - SA-CONTRIB-2023-045

Wed, 2023-09-13 08:47 — Anonymous (not verified)

Project: Mail LoginDate: 2023-September-13Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.8.0Description: This module enables users to log in by email address with minimal configurations.
Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks.Solution: Install the latest version:

If you use the mail_login module for Drupal 8 or 9, upgrade to Mail Login 8.x-2.8

Reported By:

Melisa Cordero

Fixed By:

Coordinated By:

Greg Knaddison of the Drupal Security Team
xjm of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2023-045

Search form

Mail Login - Critical - Access bypass - SA-CONTRIB-2023-045