Ricochet has been an invaluable partner in the development of our Drupal sites. Working with Casey, he lent a critical eye to our requirements to understand the feature set and objectives. During development, he was able to propose alternative implementations or creative solutions which met the requirements in an elegant and efficient manner. All the while, Casey maintained perspective on the user experience, to ensure that the product was not only bug free, but also easy to use an navigate. Furthermore, I could rely on Casey to keep me informed of issues and status with timely updates.
—Casey C., Future US

Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088

Wed, 2025-07-09 09:37 — Anonymous (not verified)

Project: Mail LoginDate: 2025-July-09Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >3.0.0 <3.2.0 || >=4.0.0 <4.2.0CVE IDs: CVE-2025-7393Description: This module enables users to login by email address with the minimal configurations.
The module included some protection against brute force attacks on the login form, however they were incomplete. An attacker could bypass the brute force protection allowing them to potentially gain access to an account.Solution: Install the latest version:

If you use the mail_login 3.x, upgrade to Mail Login 3.2.0
If you use the mail_login 4.x, upgrade to Mail Login 4.2.0

Reported By:

Ryugo Kinoshita (dc-kinoshita)

Fixed By:

Damien McKenna (damienmckenna) of the Drupal Security Team
Mohammad AlQanneh (mqanneh)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-088

Search form

Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088