DrupalSecurityTeam · G-Rath · Nov 12, 2025 · Jul 29, 2025 · Nov 6, 2025 · Nov 6, 2025
diff --git a/advisories/access_code/DRUPAL-CONTRIB-2025-028.json b/advisories/access_code/DRUPAL-CONTRIB-2025-028.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2025-028",
+  "modified": "2025-04-02T17:02:32.000Z",
+  "published": "2025-04-02T17:02:32.000Z",
+  "aliases": [
+    "CVE-2025-3129"
+  ],
+  "details": "This module enables users to log in using a short access code instead of providing a username/password combination.\n\nThe module doesn't sufficiently protect against brute force attacks to guess a user's access code.\n\nThis vulnerability is mitigated by the fact that access code based logins are off by default and only enabled for accounts that enable it. Sites could mitigate the issue without updating by:\n\n1. disabling the access code login method for critical accounts\n2. monitor and prevent brute force attacks in other ways (for example, with a Web Application Firewall)",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "drupal/access_code"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.4"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<2.0.4"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<2.0.4"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2025-028"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Marcin Maruszewski (marcin maruszewski)",
+      "contact": [
+        "https://www.drupal.org/u/marcin-maruszewski"
+      ]
+    }
+  ]
+}
diff --git a/advisories/access_code/DRUPAL-CONTRIB-2025-108.json b/advisories/access_code/DRUPAL-CONTRIB-2025-108.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2025-108",
+  "modified": "2025-09-24T17:27:20.000Z",
+  "published": "2025-09-24T17:27:20.000Z",
+  "aliases": [
+    "CVE-2025-10928"
+  ],
+  "details": "This module enables users to sign in with an access code instead of entering user names and passwords. When users are allowed to pick their own access codes, they can guess other users' access codes based on the fact that access codes need to be unique and the system warns if the code of their choice is taken.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the \"change own access code\" permission.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "drupal/access_code"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.5"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<2.0.5"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<2.0.5"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2025-108"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Pierre Rudloff (prudloff)",
+      "contact": [
+        "https://www.drupal.org/u/prudloff"
+      ]
+    }
+  ]
+}
diff --git a/advisories/access_code/DSA-CONTRIB-2025-028.json b/advisories/access_code/DSA-CONTRIB-2025-028.json
diff --git a/advisories/access_code/DSA-CONTRIB-2025-108.json b/advisories/access_code/DSA-CONTRIB-2025-108.json
diff --git a/advisories/acl/DRUPAL-CONTRIB-2023-034.json b/advisories/acl/DRUPAL-CONTRIB-2023-034.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2023-034",
+  "modified": "2023-08-23T18:45:47.000Z",
+  "published": "2023-08-23T14:51:16.000Z",
+  "aliases": [],
+  "details": "The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.\n\nThe module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.\n\nAs this is an API module, it is only exploitable if a \"client\" module exposes the vulnerability. Details of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker typically needs an \"admin\"-type permission provided by one of ACL's client modules.\n\nKnown client modules include:\n\n* Forum Access\n* Flexi Access\n* Content Access\n\nCoordinated Security Advisories are being released for those client modules that have Security coverage.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "drupal/acl"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.0.0"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<1.0.0"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<1.0.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2023-034"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Drew Webber",
+      "contact": [
+        "https://www.drupal.org/user/255969"
+      ]
+    },
+    {
+      "name": "Samuel Mortenson",
+      "contact": [
+        "https://www.drupal.org/user/2582268"
+      ]
+    }
+  ]
+}
diff --git a/advisories/acl/DSA-CONTRIB-2023-034.json b/advisories/acl/DSA-CONTRIB-2023-034.json
diff --git a/advisories/acquia_connector/DRUPAL-CONTRIB-2019-014.json b/advisories/acquia_connector/DRUPAL-CONTRIB-2019-014.json
@@ -0,0 +1,50 @@
+{
+  "schema_version": "1.7.0",
+  "id": "DRUPAL-CONTRIB-2019-014",
+  "modified": "2023-08-11T19:23:01.000Z",
+  "published": "2019-02-06T18:13:19.000Z",
+  "aliases": [],
+  "details": "Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service.\n\nThe module does not properly enforce access control in a specific case, which can lead to disclosing information.\n\nThe vulnerability is mitigated by requiring the module diff feature to be enabled. This feature is enabled by default.",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "drupal/acquia_connector"
+      },
+      "severity": [],
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.16.0"
+            }
+          ],
+          "database_specific": {
+            "constraint": "<1.16.0"
+          }
+        }
+      ],
+      "database_specific": {
+        "affected_versions": "<1.16.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.drupal.org/sa-contrib-2019-014"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Samuel Mortenson",
+      "contact": [
+        "https://www.drupal.org/user/2582268"
+      ]
+    }
+  ]
+}