[Security-news] Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028
security-news at drupal.org
security-news at drupal.org
Wed Apr 2 17:02:34 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-028
Project: Access code [1]
Date: 2025-April-02
Security risk: *Moderately critical* 14 ∕ 25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <2.0.4
CVE IDs: CVE-2025-3129
Description:
This module enables users to log in using a short access code instead of
providing a username/password combination.
The module doesn't sufficiently protect against brute force attacks to guess
a user's access code.
This vulnerability is mitigated by the fact that access code based logins are
off by default and only enabled for accounts that enable it. Sites could
mitigate the issue without updating by:
1) disabling the access code login method for critical accounts
2) monitor and prevent brute force attacks in other ways (for example, with
a Web Application Firewall)
Solution:
Install the latest version:
* If you use the access_code module for Drupal 8.x or later, upgrade to
access_code 2.0.4 [3]
Reported By:
* Marcin Maruszewski (marcin maruszewski) [4]
Fixed By:
* Gergely Lekli (glekli) [5]
Coordinated By:
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Drew Webber (mcdruid) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/access_code
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/access_code/releases/2.0.4
[4] https://www.drupal.org/u/marcin-maruszewski
[5] https://www.drupal.org/u/glekli
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/mcdruid
[8] https://www.drupal.org/u/poker10
More information about the Security-news
mailing list