Date:
Friday, Aug 29th, 2025
Advisory ID:
BACKDROP-SA-CONTRIB-2025-016
Security risk:
Moderately Critical
Vulnerability:
Access bypass
CVE ID:
Versions affected:
- Protected pages module, all versions prior to 1.x-2.4.1.
Description:
The Protected Pages module module allows you to protect individual pages with a password.
The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks.
This vulnerability is mitigated by the fact that an attacker must know the protected page's URL.
Solution:
Upgrade your site to use the most recent version of the Protected Pages module. Download available on the Protected pages module page.
Reported By:
Coordinated By:
- Benji Fisher (benjifisher) of the Drupal Security Team
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jen Lampton of the Backdrop CMS Security Team