[IT-SecNots] [Security-news] Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-028

Project: Access code [1]
Date: 2025-April-02
Security risk: *Moderately critical* 14 ∕ 25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Affected versions: <2.0.4
CVE IDs: CVE-2025-3129
Description: 
This module enables users to log in using a short access code instead of
providing a username/password combination.

The module doesn't sufficiently protect against brute force attacks to guess
a user's access code.

This vulnerability is mitigated by the fact that access code based logins are
off by default and only enabled for accounts that enable it. Sites could
mitigate the issue without updating by:

 1) disabling the access code login method for critical accounts
 2) monitor and prevent brute force attacks in other ways (for example, with
    a Web Application Firewall)

Solution: 
Install the latest version:

 * If you use the access_code module for Drupal 8.x or later, upgrade to
   access_code 2.0.4 [3]

Reported By: 
 * Marcin Maruszewski (marcin maruszewski) [4]

Fixed By: 
 * Gergely Lekli (glekli) [5]

Coordinated By: 
 * Greg Knaddison (greggles) [6] of the Drupal Security Team
 * Drew Webber (mcdruid) [7] of the Drupal Security Team
 * Juraj Nemec (poker10) [8] of the Drupal Security Team


[1] https://www.drupal.org/project/access_code
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/access_code/releases/2.0.4
[4] https://www.drupal.org/u/marcin-maruszewski
[5] https://www.drupal.org/u/glekli
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/mcdruid
[8] https://www.drupal.org/u/poker10

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news