Smart IP Ban - Critical - Access bypass - SA-CONTRIB-2024-041

Project:

Date:

2024-September-18

Security risk:

Critical 18 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability:

Access bypass

CVE IDs:

CVE-2024-13277

Description:

The Smart IP Ban module enables a site to automatically ban an IP address based upon too many failed authentications.

The module doesn't sufficiently protect access to certain paths provided by the module allowing a malicious user to view and modify the settings.

Solution:

Install the latest version:

If you use the Smart IP Ban module for Drupal 7.x, upgrade to Smart IP Ban 7.x-1.1

Reported By:

Fixed By:

Coordinated By:

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.