DRUPAL-CONTRIB-2025-108

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/access_code/DRUPAL-CONTRIB-2025-108.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-108

Aliases

Published

2025-09-24T17:27:20Z

Modified

2025-12-10T23:41:09.768849Z

Summary

[none]

Details

This module enables users to sign in with an access code instead of entering user names and passwords. When users are allowed to pick their own access codes, they can guess other users' access codes based on the fact that access codes need to be unique and the system warns if the code of their choice is taken.

This vulnerability is mitigated by the fact that an attacker must have a role with the "change own access code" permission.

References

https://www.drupal.org/sa-contrib-2025-108

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/access_code

Package

Name: drupal/access_code
Purl: pkg:composer/drupal/access_code

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.0.5

Database specific

{
    "constraint": "<2.0.5"
}

Database specific

affected_versions

"<2.0.5"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/access_code/DRUPAL-CONTRIB-2025-108.json"