View online: https://www.drupal.org/sa-contrib-2022-033

Project: Rename Admin Paths [1] Version: 7.x-2.37.x-2.27.x-2.1 Date: 2022-April-12 Security risk: *Moderately critical* 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass

Description:  The Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs.

The risk is mitigated by the fact that, even though the attacker can bypass the protection offered by this module, all regular permissions still apply.

Solution:  Install the latest version:

* If you use the rename_admin_paths module for Drupal 7.x, upgrade to rename_admin_paths 7.x-2.4 [3]

Only the 7.x version of the module is vulnerable. If you use the 8.x version, you do not have to take any action.

Reported By:  * Ivo Van Geertruyen [4] of the Drupal Security Team

Fixed By:  * Ivo Van Geertruyen [5] of the Drupal Security Team * Raphaël Apard [6]

Coordinated By:  * Chris McCafferty [7] of the Drupal Security Team * Ivo Van Geertruyen [8] of the Drupal Security Team

[1] https://www.drupal.org/project/rename_admin_paths [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/rename_admin_paths/releases/7.x-2.4 [4] https://www.drupal.org/user/383424 [5] https://www.drupal.org/user/383424 [6] https://www.drupal.org/user/410831 [7] https://www.drupal.org/u/cilefen [8] https://www.drupal.org/u/mrbaileys