View online: https://www.drupal.org/sa-contrib-2024-057 Project: Basic HTTP Authentication [1] Date: 2024-November-06 Security risk: *Critical* 16 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass Description:  The module provides a possibility to restrict access to specific paths using basic HTTP authentication, in addition to standard Drupal access checks. In some cases, the module removes existing access checks from some paths, resulting in an access bypass vulnerability. Solution:  Install the latest version: * If you use the Basic HTTP Authentication module for Drupal 7.x, upgrade to Basic Authentication 7.x-1.4 [3] Reported By:  * Roderik Muit [4] Fixed By:  * Roderik Muit [5] * Ivo Van Geertruyen [6] of the Drupal Security Team Coordinated By:  * Ivo Van Geertruyen [7] of the Drupal Security Team [1] https://www.drupal.org/project/basic_auth [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/basic_auth/releases/7.x-1.4 [4] https://www.drupal.org/user/8841 [5] https://www.drupal.org/user/8841 [6] https://www.drupal.org/user/383424 [7] https://www.drupal.org/user/383424