Critical Security Alert on Protected Pages Module
Drupal published a new security update yesterday. The update addresses a vulnerability in the Protected Pages module. Anyone using the Protected Pages module for Drupal 8/9/10 is advised to install the latest version. The new update will fix the access bypass vulnerability and prevents hackers from exploiting the weakness in the authentication mechanism.
The Protected Pages module allows the administrator to secure any page using a password. It is different from the Protected Node module. Whereas the Protected Node facilitates password protection only for nodes, Protected Pages allows it for pages or paths.
The security lapse was reported by Shelane French, Web Developer at Lawrence Livermore National Laboratory. It was fixed by Mark Dorison and Diego Rodrigo da Silva. Greg Knaddison of the Drupal Security Team coordinated the efforts.
Users are encouraged to review the security update and apply the necessary updates. Click here to learn how to install the update.