View online: https://www.drupal.org/sa-contrib-2025-101
Project: Protected Pages [1] Date: 2025-August-27 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass
Affected versions: <1.8.0 CVE IDs: CVE-2025-9551 Description: This module enables you to protect individual pages with a password.
The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks.
This vulnerability is mitigated by the fact that an attacker must know the protected page's URL.
*CVSS risk score (experimental [3]) 6.3 / Medium*
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N [4]
Solution: Install the latest version:
* If you use the Protected Pages module for Drupal 8.x, upgrade to Protected Pages 8.x-1.8 [5]
Reported By: * Pierre Rudloff (prudloff) [6]
Fixed By: * Oksana Cyrwus (oksana-c) [7] * Ra Mänd (ram4nd) [8]
Coordinated By: * Benji Fisher (benjifisher) [9] of the Drupal Security Team * Damien McKenna (damienmckenna) [10] of the Drupal Security Team * Greg Knaddison (greggles) [11] of the Drupal Security Team * Drew Webber (mcdruid) [12] of the Drupal Security Team * Juraj Nemec (poker10) [13] of the Drupal Security Team
[1] https://www.drupal.org/project/protected_pages [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/securitydrupalorg/issues/3442181 [4] https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/... [5] https://www.drupal.org/project/protected_pages/releases/8.x-1.8 [6] https://www.drupal.org/u/prudloff [7] https://www.drupal.org/u/oksana-c [8] https://www.drupal.org/u/ram4nd [9] https://www.drupal.org/u/benjifisher [10] https://www.drupal.org/u/damienmckenna [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/u/mcdruid [13] https://www.drupal.org/u/poker10
-
security-news@drupal.org