DRUPAL-CONTRIB-2025-088

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/mail_login/DRUPAL-CONTRIB-2025-088.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-088

Aliases

CVE-2025-7393

Published

2025-07-09T16:37:40Z

Modified

2025-12-10T23:41:24.780259Z

Summary

[none]

Details

This module enables users to login by email address with the minimal configurations.

The module included some protection against brute force attacks on the login form, however they were incomplete. An attacker could bypass the brute force protection allowing them to potentially gain access to an account.

References

https://www.drupal.org/sa-contrib-2025-088

Credits

- Ryugo Kinoshita (dc-kinoshita)
- - https://www.drupal.org/u/dc-kinoshita

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/mail_login

Package

Name: drupal/mail_login
Purl: pkg:composer/drupal/mail_login

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.2.0

Database specific

{
    "constraint": "<3.2.0"
}

Type

ECOSYSTEM

Events

Introduced

4.0.0

Fixed

4.2.0

Database specific

{
    "constraint": ">=4.0.0 <4.2.0"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/mail_login/DRUPAL-CONTRIB-2025-088.json"

affected_versions

"<3.2.0 || >=4.0.0 <4.2.0"