"We run a non-profit summer camp and hired Ricochet to design our camper and staff database from scratch. Their initial design was custom fit to suit our needs and as those needs have evolved the helpful staff at Ricochet have insured that timely changes keep our database up to date and running smoothly. Thanks for the fantastic service and personal attention, it's made a huge difference for our camp!"
—Chrissie Endler, Camp del Corazon

Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2023-048

Wed, 2023-10-04 08:41 — Anonymous (not verified)

Project: Mail LoginDate: 2023-October-04Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.9.0Description: This module enables users to log in by email address with minimal configurations.
Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks.
A previous security advisory, SA-CONTRIB-2023-45, was released for this issue, but that release did not successfully address the vulnerability. This security advisory and updated module version supersede the previous one.Solution: Install the latest version:

If you use the mail_login module for Drupal 8, 9, or 10, upgrade to Mail Login 8.x-2.9.

Reported By:

Fixed By:

Melisa Cordero
Mohammad AlQanneh
Lee Rowlands of the Drupal Security Team
Emil Johnsson

Coordinated By:

Greg Knaddison of the Drupal Security Team
Drew Webber of the Drupal Security Team
xjm of the Drupal Security Team
Juraj Nemec of the Drupal Security Team
Neil Drumm of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2023-048

Search form

Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2023-048