Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101

Description

The Protected Pages module enables you to protect individual pages with a password.

The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks.

This vulnerability is mitigated by the fact that an attacker must know the protected page's URL.

Solution

Install the latest version.

If you use the Protected Pages module for Drupal 7, upgrade to protected_pages 7.x-2.5:

• protected_pages-7.x-2.5.tar.gz
• protected_pages-7.x-2.5.zip

Reported by

• Pierre Rudloff (prudloff)

Fixed by

• Oksana Cyrwus (oksana-c)
• Ra Mänd (ram4nd), provisional member of the Drupal Security Team
• Tag1 Security Team

Coordinated by

• Benji Fisher (benjifisher) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Tag1 Security Team