Security Advisory: Mail Login Module Vulnerability SA-CONTRIB-2023-048

The Mail Login module for Drupal has recently been flagged for a moderately critical security issue, designated as SA-CONTRIB-2023-048. The vulnerability, assessed with a risk level of 13/25, pertains to an access bypass that potentially exposes users to brute-force attacks. Specifically, the module lacks the flood control mechanism present in Drupal core, making it susceptible to such attacks.

Users are advised to update to the latest version of the Mail Login module to mitigate this security risk. For those using Drupal versions 8, 9, or 10, upgrading to Mail Login 8.x-2.9 is recommended. It's crucial to note that a previous security advisory, SA-CONTRIB-2023-45, attempted to address this issue but did not provide an effective solution. Therefore, the current security advisory and the updated module version supersede the previous attempt.

Melisa Cordero and Emil Johnsson reported and resolved the vulnerability through a team effort. Key members of the Drupal Security Team oversaw the coordination of this security matter. This security advisory underscores the ongoing efforts to maintain the integrity and security of Drupal-based websites. For more information, visit the website.