Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-August-27
Vulnerability:
Access bypass
Affected versions:
<1.8.0
CVE IDs:
CVE-2025-9551
Description:
This module enables you to protect individual pages with a password.
The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks.
This vulnerability is mitigated by the fact that an attacker must know the protected page's URL.
CVSS risk score (experimental) 6.3 / Medium
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Solution:
Install the latest version:
- If you use the Protected Pages module for Drupal 8.x, upgrade to Protected Pages 8.x-1.8
Reported By:
Fixed By:
- Oksana Cyrwus (oksana-c)
- Ra Mänd (ram4nd), provisional member of the Drupal Security Team
Coordinated By:
- Benji Fisher (benjifisher) of the Drupal Security Team
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
