[IT-SecNots] [Security-news] Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2024-073

Project: Login Disable [1]
Date: 2024-December-11
Security risk: *Critical* 16 ∕ 25
AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Affected versions: >=2.0.0 <2.1.1
Description: 
This module enables you to prevent existing users from logging in to your
Drupal site unless they know the secret key to add to the end of the ?q=user
login form page.

The Login Disable module does not correctly prevent a user with a disabled
login from logging in, allowing those users to by-pass the protection offered
by the module.

This vulnerability is mitigated by the fact that an attacker must already
have a user account to log in. This bug therefore allows users to log in even
if their login is disabled.

Solution: 
Install the latest version:

  * If you use the Login Disable module for Drupal 9.x / 10.x, upgrade to
    Login Disable 2.1.1 [3]

The Drupal 7 version of the module is not affected.

Reported By: 
  * e5sego [4]

Fixed By: 
  * e5sego [5]
  * Sang Lostrie [6]

Coordinated By: 
  * Ivo Van Geertruyen [7] of the Drupal Security Team
  * Greg Knaddison [8] of the Drupal Security Team
  * Benji Fisher [9] of the Drupal Security Team


[1] https://www.drupal.org/project/login_disable
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/login_disable/releases/2.1.1
[4] https://www.drupal.org/user/261590
[5] https://www.drupal.org/user/261590
[6] https://www.drupal.org/user/2727459
[7] https://www.drupal.org/u/mrbaileys
[8] https://security.drupal.org/user/27
[9] https://www.drupal.org/u/benjifisher

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news