Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2024-December-11
Vulnerability:
Access bypass
Affected versions:
>=2.0.0 <2.1.1
CVE IDs:
CVE-2024-13309
Description:
This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page.
The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass the protection offered by the module.
This vulnerability is mitigated by the fact that an attacker must already have a user account to log in. This bug therefore allows users to log in even if their login is disabled.
Solution:
Install the latest version:
- If you use the Login Disable module for Drupal 9.x / 10.x, upgrade to Login Disable 2.1.1
The Drupal 7 version of the module is not affected.
Reported By:
Fixed By:
Coordinated By:
- Ivo Van Geertruyen of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
