Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

Project: Rename Admin Paths
Version: 7.x-2.3, 7.x-2.2, 7.x-2.1
Date: 2022-April-12
Security risk: Moderately critical 10∕25 
Vulnerability: Access bypass

Description

The Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs.

The risk is mitigated by the fact that, even though the attacker can bypass the protection offered by this module, all regular permissions still apply.

Solution

Install the latest version:

If you use the rename_admin_paths module for Drupal 7.x, upgrade to rename_admin_paths 7.x-2.4

Only the 7.x version of the module is vulnerable. If you use the 8.x version, you do not have to take any action.