[IT-SecNots] [Security-news] Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-108

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-108

Project: Access code [1]
Date: 2025-September-24
Security risk: *Moderately critical* 14 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Affected versions: <2.0.5
CVE IDs: CVE-2025-10928
Description: 
This module enables users to sign in with an access code instead of entering
user names and passwords. When users are allowed to pick their own access
codes, they can guess other users' access codes based on the fact that access
codes need to be unique and the system warns if the code of their choice is
taken.

This vulnerability is mitigated by the fact that an attacker must have a role
with the "change own access code" permission.

Solution: 
Install the latest version:

 * If you use access_code module for Drupal, upgrade to access_code 2.0.5 [3]

Reported By: 
 * Pierre Rudloff (prudloff) [4]

Fixed By: 
 * Gergely Lekli (glekli) [5]
 * Pierre Rudloff (prudloff) [6]

Coordinated By: 
 * Greg Knaddison (greggles) [7] of the Drupal Security Team
 * Pierre Rudloff (prudloff) [8] provisional member of the Drupal Security
   Team

------------------------------------------------------------------------------
Contribution record [9]

[1] https://www.drupal.org/project/access_code
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/access_code/releases/2.0.5
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/glekli
[6] https://www.drupal.org/u/prudloff
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/prudloff
[9]  
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3548499

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news