DRUPAL-CONTRIB-2024-073

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/login_disable/DRUPAL-CONTRIB-2024-073.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-073

Aliases

CVE-2024-13309

Published

2024-12-11T12:36:29Z

Modified

2025-12-10T23:41:28.727748Z

Summary

[none]

Details

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page.

The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass the protection offered by the module.

This vulnerability is mitigated by the fact that an attacker must already have a user account to log in. This bug therefore allows users to log in even if their login is disabled.

References

https://www.drupal.org/sa-contrib-2024-073

Credits

- e5sego
- - https://www.drupal.org/user/261590

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/login_disable

Package

Name: drupal/login_disable
Purl: pkg:composer/drupal/login_disable

Affected ranges

Type

ECOSYSTEM

Events

Introduced

2.0.0

Fixed

2.1.1

Database specific

{
    "constraint": ">=2.0.0 <2.1.1"
}

Database specific

affected_versions

">=2.0.0 <2.1.1"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/login_disable/DRUPAL-CONTRIB-2024-073.json"