CVE-2024-13309 – This vulnerability in Drupal's Login Disable mo... (How to Fix)

Q: What is the severity of CVE-2024-13309?

CVE-2024-13309 has a CVSS score of 5.4 (MEDIUM). This vulnerability in Drupal's Login Disable module allows attackers to bypass authentication controls when the module is incorrectly configured. It affects Drupal sites using Login Disable versions 2.0.0 through 2.1.0. Attackers could potentially access restricted content or functionality.

📋 TL;DR

This vulnerability in Drupal's Login Disable module allows attackers to bypass authentication controls when the module is incorrectly configured. It affects Drupal sites using Login Disable versions 2.0.0 through 2.1.0. Attackers could potentially access restricted content or functionality.

💻 Affected Systems

Products:

Drupal Login Disable module

Versions: 2.0.0 through 2.1.0

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when module is enabled and incorrectly configured with improper access control settings.

📦 What is this software?

Login Disable by Login Disable Project

View all CVEs affecting Login Disable →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to administrative functions or sensitive content by bypassing authentication controls.

🟠

Likely Case

Unauthorized users access content or features intended only for authenticated users.

🟢

If Mitigated

Proper configuration prevents exploitation, limiting impact to authentication bypass attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires specific misconfigurations in the Login Disable module's access control settings.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.1

Vendor Advisory: https://www.drupal.org/sa-contrib-2024-073

Restart Required: No

Instructions:

1. Update Login Disable module to version 2.1.1 via Drupal's update manager or Composer. 2. Clear Drupal cache. 3. Verify module configuration follows security best practices.

🔧 Temporary Workarounds

Disable Login Disable Module

linux

Temporarily disable the vulnerable module until patching is possible.

drush pm:disable login_disable

Review Access Control Configuration

all

Audit and correct Login Disable module's access control settings to prevent exploitation.

🧯 If You Can't Patch

Disable the Login Disable module immediately
Implement additional authentication layers or IP restrictions for affected functionality

🔍 How to Verify

Check if Vulnerable:

Check Drupal's module list for Login Disable version 2.0.0 through 2.1.0.

Check Version:

drush pm:list | grep login_disable

Verify Fix Applied:

Confirm Login Disable module version is 2.1.1 or higher.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to restricted pages
Authentication bypass patterns in access logs

Network Indicators:

Unusual access patterns to admin or restricted endpoints

SIEM Query:

source="drupal_access_log" AND (status=200 OR status=403) AND uri CONTAINS "/admin" AND user="anonymous"

📊 Metadata

CVE ID: CVE-2024-13309

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-287

EPSS Score: 0.08% exploit probability (24.1th percentile)

Published: January 9, 2025

Last Updated: August 28, 2025

🔗 References

https://www.drupal.org/sa-contrib-2024-073 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13309, you might also want to check these: