=====================================================================

                               CERT-Renater

                     Note d'Information No. 2023/VULN323

_____________________________________________________________________

DATE                : 14/09/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running mail_login module for Drupal
                               versions prior to 8.x-2.8.

=====================================================================
https://www.drupal.org/sa-contrib-2023-045
_____________________________________________________________________


Mail Login - Critical - Access bypass - SA-CONTRIB-2023-045
Project:              Mail Login
Date:                2023-September-13
Security risk: Critical 16∕25 
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability:       Access bypass
Affected versions:   <2.8.0


Description:
This module enables users to log in by email address with minimal
configurations.

Drupal core contains protection against brute force attacks via a
flood control mechanism. This module's functionality did not
replicate the flood control, enabling brute force attacks.


Solution:
Install the latest version:

     If you use the mail_login module for Drupal 8 or 9, upgrade to
Mail Login 8.x-2.8


Reported By:
     Melisa Cordero


Fixed By:
     Melisa Cordero
     Mohammad AlQanneh


Coordinated By:
     Greg Knaddison of the Drupal Security Team
     xjm of the Drupal Security Team


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================