DRUPAL-CONTRIB-2025-028

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/access_code/DRUPAL-CONTRIB-2025-028.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-028

Aliases

CVE-2025-3129

Published

2025-04-02T17:02:32Z

Modified

2025-12-10T23:41:27.196074Z

Summary

[none]

Details

This module enables users to log in using a short access code instead of providing a username/password combination.

The module doesn't sufficiently protect against brute force attacks to guess a user's access code.

This vulnerability is mitigated by the fact that access code based logins are off by default and only enabled for accounts that enable it. Sites could mitigate the issue without updating by:

disabling the access code login method for critical accounts
monitor and prevent brute force attacks in other ways (for example, with a Web Application Firewall)

References

https://www.drupal.org/sa-contrib-2025-028

Credits

- Marcin Maruszewski (marcin maruszewski)
- - https://www.drupal.org/u/marcin-maruszewski

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/access_code

Package

Name: drupal/access_code
Purl: pkg:composer/drupal/access_code

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.0.4

Database specific

{
    "constraint": "<2.0.4"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/access_code/DRUPAL-CONTRIB-2025-028.json"

affected_versions

"<2.0.4"