it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101
- Date: Wed, 27 Aug 2025 17:20:00 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=HQkkY5nh; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org A82E482A0E
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 4B3E48113B
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-101
Project: Protected Pages [1]
Date: 2025-August-27
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Affected versions: <1.8.0
CVE IDs: CVE-2025-9551
Description:
This module enables you to protect individual pages with a password.
The module doesn't limit the number of password attempts, making it
vulnerable to brute force attacks.
This vulnerability is mitigated by the fact that an attacker must know the
protected page's URL.
*CVSS risk score (experimental [3]) 6.3 / Medium*
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N [4]
Solution:
Install the latest version:
* If you use the Protected Pages module for Drupal 8.x, upgrade to Protected
Pages 8.x-1.8 [5]
Reported By:
* Pierre Rudloff (prudloff) [6]
Fixed By:
* Oksana Cyrwus (oksana-c) [7]
* Ra Mänd (ram4nd) [8]
Coordinated By:
* Benji Fisher (benjifisher) [9] of the Drupal Security Team
* Damien McKenna (damienmckenna) [10] of the Drupal Security Team
* Greg Knaddison (greggles) [11] of the Drupal Security Team
* Drew Webber (mcdruid) [12] of the Drupal Security Team
* Juraj Nemec (poker10) [13] of the Drupal Security Team
[1] https://www.drupal.org/project/protected_pages
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/securitydrupalorg/issues/3442181
[4] https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
[5] https://www.drupal.org/project/protected_pages/releases/8.x-1.8
[6] https://www.drupal.org/u/prudloff
[7] https://www.drupal.org/u/oksana-c
[8] https://www.drupal.org/u/ram4nd
[9] https://www.drupal.org/u/benjifisher
[10] https://www.drupal.org/u/damienmckenna
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/u/mcdruid
[13] https://www.drupal.org/u/poker10
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101, security-news, 27.08.2025
Archiv bereitgestellt durch MHonArc 2.6.19+.