DRUPAL-CONTRIB-2023-048

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/mail_login/DRUPAL-CONTRIB-2023-048.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-048

Published

2023-10-04T15:41:34Z

Modified

2025-12-10T23:33:19.325726Z

Summary

[none]

Details

This module enables users to log in by email address with minimal configurations.

Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks.

A previous security advisory, SA-CONTRIB-2023-45, was released for this issue, but that release did not successfully address the vulnerability. This security advisory and updated module version supersede the previous one.

References

https://www.drupal.org/sa-contrib-2023-048

Credits

- Emil Johnsson
- - https://www.drupal.org/user/1868992
- Melisa Cordero
- - https://www.drupal.org/user/3655438

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/mail_login

Package

Name: drupal/mail_login
Purl: pkg:composer/drupal/mail_login

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.9.0

Database specific

{
    "constraint": "<2.9.0"
}

Database specific

affected_versions

"<2.9.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/mail_login/DRUPAL-CONTRIB-2023-048.json"