View online: https://www.drupal.org/sa-contrib-2025-028

Project: Access code [1] Date: 2025-April-02 Security risk: *Moderately critical* 14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Access bypass

Affected versions: <2.0.4 CVE IDs: CVE-2025-3129 Description:  This module enables users to log in using a short access code instead of providing a username/password combination.

The module doesn't sufficiently protect against brute force attacks to guess a user's access code.

This vulnerability is mitigated by the fact that access code based logins are off by default and only enabled for accounts that enable it. Sites could mitigate the issue without updating by:

1) disabling the access code login method for critical accounts 2) monitor and prevent brute force attacks in other ways (for example, with a Web Application Firewall)

Solution:  Install the latest version:

* If you use the access_code module for Drupal 8.x or later, upgrade to access_code 2.0.4 [3]

Reported By:  * Marcin Maruszewski (marcin maruszewski) [4]

Fixed By:  * Gergely Lekli (glekli) [5]

Coordinated By:  * Greg Knaddison (greggles) [6] of the Drupal Security Team * Drew Webber (mcdruid) [7] of the Drupal Security Team * Juraj Nemec (poker10) [8] of the Drupal Security Team

[1] https://www.drupal.org/project/access_code [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/access_code/releases/2.0.4 [4] https://www.drupal.org/u/marcin-maruszewski [5] https://www.drupal.org/u/glekli [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/mcdruid [8] https://www.drupal.org/u/poker10