Drupal Security TeamDRUPAL-SA-CONTRIB-2014-111SA-CONTRIB-2014-111 - Protected Pages - Password Protection Bypass
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.967 High
EPSS
Percentile
99.7%
Protected Pages modules allows the administrator to secure any page in your website by password by configuring a add path and the associated password.
The module did not sufficiently protect variations on the protected path.
CVE identifier(s) issued
- CVE-2014-9024
Versions affected
- Protected Pages 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Protected Pages module,
there is nothing you need to do.
Solution
Install the latest version:
- Upgrade to protected_pages 7.x-2.4
Also see the Protected Pages project page.
Reported by
Fixed by
- Varun Mishra the module maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
- Michael Hess of the Drupal Security Team
References
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/node/2353451
www.drupal.org/project/protected_pages
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/102818
www.drupal.org/user/168948
www.drupal.org/user/36762
www.drupal.org/user/77861
www.drupal.org/writing-secure-code
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.967 High
EPSS
Percentile
99.7%