Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068

Project:

Date:

2024-December-04

Security risk:

Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All

Vulnerability:

Access bypass

Affected versions:

>=2.0.0 <2.0.3

CVE IDs:

CVE-2024-13302

Description:

Module to restrict access from anonymous and regular users to configured pre-defined pages.

The module does not adequately handle protecting certain types of URLs.

Solution:

Install the latest version:

If you use the Pages Restriction Access for Drupal 8.x or higher, upgrade to Pages Restriction Access for Drupal 2.0.3

Reported By:

Fixed By:

Coordinated By:

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.