Search criteria
258 vulnerabilities
CVE-2025-12848 (GCVE-0-2025-12848)
Vulnerability from cvelistv5 – Published: 2025-11-26 01:28 – Updated: 2025-11-26 14:19
VLAI?
Summary
Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious
filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts
in the context of the victim's browser.
The issue is present in a third-party library and has been addressed in a patch available at https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-26T14:18:51.075955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T14:19:01.182Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/webform_multifile",
"defaultStatus": "unaffected",
"packageName": "Webform Multifile Upload",
"product": "Drupal",
"repo": "https://git.drupalcode.org/project/webform_multifile",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "7.x"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious\u003cbr\u003efilename containing JavaScript code (e.g., \"\u0026lt;img src=1 onerror=alert(document.domain)\u0026gt;\") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts\u003cbr\u003ein the context of the victim\u0027s browser.\u003cbr\u003e \u003cbr\u003eThe issue is present in a third-party library and has been addressed in a patch available at\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/fyneworks/multifile/pull/44\"\u003ehttps://github.com/fyneworks/multifile/pull/44\u003c/a\u003e. Users are advised to apply the provided patch or update to a fixed version of the module.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious\nfilename containing JavaScript code (e.g., \"\u003cimg src=1 onerror=alert(document.domain)\u003e\") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts\nin the context of the victim\u0027s browser.\n \nThe issue is present in a third-party library and has been addressed in a patch available at\u00a0 https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/S:N/R:U/V:D/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T01:28:33.628Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/node/3105204"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS vulnerability when rendering filename in Webform Multiform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-12848",
"datePublished": "2025-11-26T01:28:33.628Z",
"dateReserved": "2025-11-06T21:09:12.402Z",
"dateUpdated": "2025-11-26T14:19:01.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12761 (GCVE-0-2025-12761)
Vulnerability from cvelistv5 – Published: 2025-11-18 16:56 – Updated: 2025-11-18 20:33
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).This issue affects Simple multi step form: from 0.0.0 before 2.0.0.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Simple multi step form |
Affected:
0.0.0 , < 2.0.0
(semver)
|
Credits
Ide Braakman (idebr)
Diosbel MezquÃa (dmezquia)
Ide Braakman (idebr)
Vitaliy Bogomazyuk (vitaliyb98)
Greg Knaddison (greggles)
Ivo Van Geertruyen (mr.baileys)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12761",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:33:42.542969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:33:44.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/simple_multistep",
"defaultStatus": "unaffected",
"product": "Simple multi step form",
"repo": "https://git.drupalcode.org/project/simple_multistep",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ide Braakman (idebr)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Diosbel Mezqu\u00c3\u00ada (dmezquia)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ide Braakman (idebr)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Vitaliy Bogomazyuk (vitaliyb98)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Ivo Van Geertruyen (mr.baileys)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-11-05T18:09:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Simple multi step form: from 0.0.0 before 2.0.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).This issue affects Simple multi step form: from 0.0.0 before 2.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:56:14.234Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-116"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-116",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-12761",
"datePublished": "2025-11-18T16:56:14.234Z",
"dateReserved": "2025-11-05T17:03:17.026Z",
"dateUpdated": "2025-11-18T20:33:44.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12760 (GCVE-0-2025-12760)
Vulnerability from cvelistv5 – Published: 2025-11-18 16:55 – Updated: 2025-11-18 20:30
VLAI?
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6.
Severity ?
5.4 (Medium)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Credits
Pierre Rudloff (prudloff)
abdulaziz zaid
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Pierre Rudloff (prudloff)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:29:53.665381Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:30:29.114Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/email_tfa",
"defaultStatus": "unaffected",
"product": "Email TFA",
"repo": "https://git.drupalcode.org/project/email_tfa",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.6",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "abdulaziz zaid"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2025-11-05T18:08:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.\u003cp\u003eThis issue affects Email TFA: from 0.0.0 before 2.0.6.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:55:59.017Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-115"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-12760",
"datePublished": "2025-11-18T16:55:59.017Z",
"dateReserved": "2025-11-05T17:03:15.328Z",
"dateUpdated": "2025-11-18T20:30:29.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13083 (GCVE-0-2025-13083)
Vulnerability from cvelistv5 – Published: 2025-11-18 16:55 – Updated: 2025-11-18 20:31
VLAI?
Summary
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Severity ?
CWE
- CWE-525 - Use of Web Browser Cache Containing Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.4.9
(semver)
Affected: 10.5.0 , < 10.5.6 (semver) Affected: 11.0.0 , < 11.1.9 (semver) Affected: 11.2.0 , < 11.2.8 (semver) |
Credits
Damien McKenna (damienmckenna)
tame4tex
Benji Fisher (benjifisher)
catch (catch)
Neil Drumm (drumm)
Lee Rowlands (larowlan)
Mingsong (mingsong)
Mohit Aghera (mohit_aghera)
James Gilliland (neclimdul)
Juraj Nemec (poker10)
Jess (xjm)
catch (catch)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:31:33.666610Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:31:36.720Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.5.6",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "11.1.9",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "finder",
"value": "tame4tex"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mingsong (mingsong)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mohit Aghera (mohit_aghera)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "James Gilliland (neclimdul)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-11-12T20:16:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.\u003c/p\u003e"
}
],
"value": "Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-525",
"description": "CWE-525 Use of Web Browser Cache Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:55:37.269Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-008"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13083",
"datePublished": "2025-11-18T16:55:37.269Z",
"dateReserved": "2025-11-12T18:26:39.713Z",
"dateUpdated": "2025-11-18T20:31:36.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13082 (GCVE-0-2025-13082)
Vulnerability from cvelistv5 – Published: 2025-11-18 16:55 – Updated: 2025-11-18 20:32
VLAI?
Summary
User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Severity ?
4.3 (Medium)
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.4.9
(semver)
Affected: 10.5.0 , < 10.5.6 (semver) Affected: 11.0.0 , < 11.1.9 (semver) Affected: 11.2.0 , < 11.2.8 (semver) |
Credits
Kevin Quillen (kevinquillen)
Benji Fisher (benjifisher)
Neil Drumm (drumm)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Drew Webber (mcdruid)
Mingsong (mingsong)
Juraj Nemec (poker10)
Ra Mänd (ram4nd)
Jess (xjm)
catch (catch)
Lee Rowlands (larowlan)
Dave Long (longwave)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:32:40.692859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:32:44.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.5.6",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "11.1.9",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kevin Quillen (kevinquillen)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mingsong (mingsong)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-11-12T20:16:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.\u003c/p\u003e"
}
],
"value": "User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."
}
],
"impacts": [
{
"capecId": "CAPEC-148",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-148 Content Spoofing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:55:16.062Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-007"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Defacement - SA-CORE-2025-007",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13082",
"datePublished": "2025-11-18T16:55:16.062Z",
"dateReserved": "2025-11-12T18:26:38.404Z",
"dateUpdated": "2025-11-18T20:32:44.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13081 (GCVE-0-2025-13081)
Vulnerability from cvelistv5 – Published: 2025-11-18 16:54 – Updated: 2025-11-19 04:55
VLAI?
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Severity ?
5.9 (Medium)
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.4.9
(semver)
Affected: 10.5.0 , < 10.5.6 (semver) Affected: 11.0.0 , < 11.1.9 (semver) Affected: 11.2.0 , < 11.2.8 (semver) |
Credits
anzuukino
Anna Kalata (akalata)
catch (catch)
Neil Drumm (drumm)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Ra Mänd (ram4nd)
Jess (xjm)
catch (catch)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13081",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T04:55:19.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.5.6",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "11.1.9",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "anzuukino"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Anna Kalata (akalata)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-11-12T18:34:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.\u003c/p\u003e"
}
],
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:54:56.214Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-006"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13081",
"datePublished": "2025-11-18T16:54:56.214Z",
"dateReserved": "2025-11-12T18:26:37.184Z",
"dateUpdated": "2025-11-19T04:55:19.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13080 (GCVE-0-2025-13080)
Vulnerability from cvelistv5 – Published: 2025-11-18 16:54 – Updated: 2025-11-18 20:35
VLAI?
Summary
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Severity ?
5.3 (Medium)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.4.9
(semver)
Affected: 10.5.0 , < 10.5.6 (semver) Affected: 11.0.0 , < 11.1.9 (semver) Affected: 11.2.0 , < 11.2.8 (semver) |
Credits
Dragos Dumitrescu (dragos-dumi)
yasser ALLAM (inzo_)
Nils Destoop (nils.destoop)
Sven Decabooter (svendecabooter)
zhero
Alex Pott (alexpott)
catch (catch)
cilefen (cilefen)
Jen Lampton (jenlampton)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Nils Destoop (nils.destoop)
Juraj Nemec (poker10)
Ra Mänd (ram4nd)
Jess (xjm)
catch (catch)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:35:13.962818Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:35:16.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.5.6",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "11.1.9",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dragos Dumitrescu (dragos-dumi)"
},
{
"lang": "en",
"type": "finder",
"value": "yasser ALLAM (inzo_)"
},
{
"lang": "en",
"type": "finder",
"value": "Nils Destoop (nils.destoop)"
},
{
"lang": "en",
"type": "finder",
"value": "Sven Decabooter (svendecabooter)"
},
{
"lang": "en",
"type": "finder",
"value": "zhero"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alex Pott (alexpott)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jen Lampton (jenlampton)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Nils Destoop (nils.destoop)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-11-12T18:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.\u003c/p\u003e"
}
],
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:54:32.042Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-005"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13080",
"datePublished": "2025-11-18T16:54:32.042Z",
"dateReserved": "2025-11-12T18:26:35.916Z",
"dateUpdated": "2025-11-18T20:35:16.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12466 (GCVE-0-2025-12466)
Vulnerability from cvelistv5 – Published: 2025-10-29 23:14 – Updated: 2025-10-30 14:38
VLAI?
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass.This issue affects Simple OAuth (OAuth2) & OpenID Connect: from 6.0.0 before 6.0.7.
Severity ?
7.5 (High)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Simple OAuth (OAuth2) & OpenID Connect |
Affected:
6.0.0 , < 6.0.7
(semver)
|
Credits
coffeemakr
Bojan Bogdanovic (bojan_dev)
coffeemakr
Juraj Nemec (poker10)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:37:41.111051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:38:59.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/simple_oauth",
"defaultStatus": "unaffected",
"product": "Simple OAuth (OAuth2) \u0026 OpenID Connect",
"repo": "https://git.drupalcode.org/project/simple_oauth",
"vendor": "Drupal",
"versions": [
{
"lessThan": "6.0.7",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "coffeemakr"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bojan Bogdanovic (bojan_dev)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "coffeemakr"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-10-29T16:44:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) \u0026amp; OpenID Connect allows Authentication Bypass.\u003cp\u003eThis issue affects Simple OAuth (OAuth2) \u0026amp; OpenID Connect: from 6.0.0 before 6.0.7.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) \u0026 OpenID Connect allows Authentication Bypass.This issue affects Simple OAuth (OAuth2) \u0026 OpenID Connect: from 6.0.0 before 6.0.7."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T23:14:51.343Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-114"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Simple OAuth (OAuth2) \u0026 OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-12466",
"datePublished": "2025-10-29T23:14:51.343Z",
"dateReserved": "2025-10-29T14:43:07.597Z",
"dateUpdated": "2025-10-30T14:38:59.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12083 (GCVE-0-2025-12083)
Vulnerability from cvelistv5 – Published: 2025-10-29 23:14 – Updated: 2025-10-30 14:40
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | CivicTheme Design System |
Affected:
0.0.0 , < 1.12.0
(semver)
|
Credits
Adam Bramley (acbramley)
Lee Rowlands (larowlan)
Alan Cole (alan.cole)
Daniel (danielgry)
Fiona Morrison (fionamorrison23)
Suchi Garg (gargsuchi)
Lee Rowlands (larowlan)
Richard Gaunt (richardgaunt)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Drew Webber (mcdruid)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:39:43.077712Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:40:11.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/civictheme",
"defaultStatus": "unaffected",
"product": "CivicTheme Design System",
"repo": "https://git.drupalcode.org/project/civictheme",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.12.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Bramley (acbramley)"
},
{
"lang": "en",
"type": "finder",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alan Cole (alan.cole)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Daniel (danielgry)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Fiona Morrison (fionamorrison23)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Suchi Garg (gargsuchi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Richard Gaunt (richardgaunt)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2025-10-22T16:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T23:14:33.900Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-113"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-12083",
"datePublished": "2025-10-29T23:14:33.900Z",
"dateReserved": "2025-10-22T16:06:23.591Z",
"dateUpdated": "2025-10-30T14:40:11.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12082 (GCVE-0-2025-12082)
Vulnerability from cvelistv5 – Published: 2025-10-29 23:14 – Updated: 2025-10-30 14:41
VLAI?
Summary
Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing.This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
Severity ?
7.5 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | CivicTheme Design System |
Affected:
0.0.0 , < 1.12.0
(semver)
|
Credits
Lee Rowlands (larowlan)
Alan Cole (alan.cole)
Daniel (danielgry)
Fiona Morrison (fionamorrison23)
Suchi Garg (gargsuchi)
Joshua Fernandes (joshua1234511)
Lee Rowlands (larowlan)
Richard Gaunt (richardgaunt)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Drew Webber (mcdruid)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:41:02.629401Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:41:28.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/civictheme",
"defaultStatus": "unaffected",
"product": "CivicTheme Design System",
"repo": "https://git.drupalcode.org/project/civictheme",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.12.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alan Cole (alan.cole)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Daniel (danielgry)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Fiona Morrison (fionamorrison23)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Suchi Garg (gargsuchi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joshua Fernandes (joshua1234511)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Richard Gaunt (richardgaunt)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2025-10-22T16:34:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing.\u003cp\u003eThis issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing.This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T23:14:19.017Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-112"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CivicTheme Design System - Moderately critical - Information disclosure - SA-CONTRIB-2025-112",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-12082",
"datePublished": "2025-10-29T23:14:19.017Z",
"dateReserved": "2025-10-22T16:06:21.893Z",
"dateUpdated": "2025-10-30T14:41:28.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10929 (GCVE-0-2025-10929)
Vulnerability from cvelistv5 – Published: 2025-10-29 23:14 – Updated: 2025-10-30 13:31
VLAI?
Summary
Improper Validation of Consistency within Input vulnerability in Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables.This issue affects Reverse Proxy Header: from 0.0.0 before 1.1.2.
Severity ?
5.3 (Medium)
CWE
- CWE-1288 - Improper Validation of Consistency within Input
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Reverse Proxy Header |
Affected:
0.0.0 , < 1.1.2
(semver)
|
Credits
Pierre Rudloff (prudloff)
Bohdan Artemchuk (bohart)
Drew Webber (mcdruid)
Pierre Rudloff (prudloff)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Pierre Rudloff (prudloff)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10929",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T13:31:45.484329Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T13:31:48.665Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/reverse_proxy_header",
"defaultStatus": "unaffected",
"product": "Reverse Proxy Header",
"repo": "https://git.drupalcode.org/project/reverse_proxy_header",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.1.2",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bohdan Artemchuk (bohart)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2025-09-24T17:28:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Validation of Consistency within Input vulnerability in Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables.\u003cp\u003eThis issue affects Reverse Proxy Header: from 0.0.0 before 1.1.2.\u003c/p\u003e"
}
],
"value": "Improper Validation of Consistency within Input vulnerability in Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables.This issue affects Reverse Proxy Header: from 0.0.0 before 1.1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-77",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-77 Manipulating User-Controlled Variables"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1288",
"description": "CWE-1288 Improper Validation of Consistency within Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T23:14:07.047Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-111"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reverse Proxy Header - Less critical - Access bypass - SA-CONTRIB-2025-111",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-10929",
"datePublished": "2025-10-29T23:14:07.047Z",
"dateReserved": "2025-09-24T16:53:13.156Z",
"dateUpdated": "2025-10-30T13:31:48.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10930 (GCVE-0-2025-10930)
Vulnerability from cvelistv5 – Published: 2025-10-29 23:13 – Updated: 2025-10-30 13:27
VLAI?
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Currency allows Cross Site Request Forgery.This issue affects Currency: from 0.0.0 before 3.5.0.
Severity ?
6.5 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Credits
Juraj Nemec (poker10)
Sascha Grossenbacher (berdir)
Pieter Frenssen (pfrenssen)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10930",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T13:27:07.686303Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T13:27:10.721Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/currency",
"defaultStatus": "unaffected",
"product": "Currency",
"repo": "https://git.drupalcode.org/project/currency",
"vendor": "Drupal",
"versions": [
{
"lessThan": "3.5.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sascha Grossenbacher (berdir)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pieter Frenssen (pfrenssen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-09-24T17:27:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Currency allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Currency: from 0.0.0 before 3.5.0.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Currency allows Cross Site Request Forgery.This issue affects Currency: from 0.0.0 before 3.5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T23:13:54.547Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-110"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Currency - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-110",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-10930",
"datePublished": "2025-10-29T23:13:54.547Z",
"dateReserved": "2025-09-24T16:53:14.378Z",
"dateUpdated": "2025-10-30T13:27:10.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10931 (GCVE-0-2025-10931)
Vulnerability from cvelistv5 – Published: 2025-10-29 23:13 – Updated: 2025-10-30 14:15
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Umami Analytics |
Affected:
0.0.0 , < 1.0.1
(semver)
|
Credits
Pierre Rudloff (prudloff)
Ivica Puljic (pivica)
Damien McKenna (damienmckenna)
Juraj Nemec (poker10)
Pierre Rudloff (prudloff)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10931",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T13:23:23.156073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:15:53.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/umami_analytics",
"defaultStatus": "unaffected",
"product": "Umami Analytics",
"repo": "https://git.drupalcode.org/project/umami_analytics",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.1",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ivica Puljic (pivica)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2025-09-24T17:27:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Umami Analytics: from 0.0.0 before 1.0.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T23:13:40.417Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-109"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Umami Analytics - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-109",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-10931",
"datePublished": "2025-10-29T23:13:40.417Z",
"dateReserved": "2025-09-24T16:53:15.544Z",
"dateUpdated": "2025-10-30T14:15:53.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10928 (GCVE-0-2025-10928)
Vulnerability from cvelistv5 – Published: 2025-10-29 23:13 – Updated: 2025-10-30 13:07
VLAI?
Summary
Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force.This issue affects Access code: from 0.0.0 before 2.0.5.
Severity ?
6.3 (Medium)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Access code |
Affected:
0.0.0 , < 2.0.5
(semver)
|
Credits
Pierre Rudloff (prudloff)
Gergely Lekli (glekli)
Pierre Rudloff (prudloff)
Greg Knaddison (greggles)
Pierre Rudloff (prudloff)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10928",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T13:07:19.574657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T13:07:25.555Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/access_code",
"defaultStatus": "unaffected",
"product": "Access code",
"repo": "https://git.drupalcode.org/project/access_code",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.5",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Gergely Lekli (glekli)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2025-09-24T17:27:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force.\u003cp\u003eThis issue affects Access code: from 0.0.0 before 2.0.5.\u003c/p\u003e"
}
],
"value": "Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force.This issue affects Access code: from 0.0.0 before 2.0.5."
}
],
"impacts": [
{
"capecId": "CAPEC-112",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-112 Brute Force"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T23:13:25.064Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-108"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-108",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-10928",
"datePublished": "2025-10-29T23:13:25.064Z",
"dateReserved": "2025-09-24T16:53:11.887Z",
"dateUpdated": "2025-10-30T13:07:25.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10927 (GCVE-0-2025-10927)
Vulnerability from cvelistv5 – Published: 2025-10-29 23:13 – Updated: 2025-10-30 14:42
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Plausible tracking allows Cross-Site Scripting (XSS).This issue affects Plausible tracking: from 0.0.0 before 1.0.2.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Plausible tracking |
Affected:
0.0.0 , < 1.0.2
(semver)
|
Credits
Pierre Rudloff (prudloff)
Pierre Rudloff (prudloff)
Benjamin Rasmussen (ras-ben)
Damien McKenna (damienmckenna)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10927",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:42:09.758906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:42:43.207Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/plausible_tracking",
"defaultStatus": "unaffected",
"product": "Plausible tracking",
"repo": "https://git.drupalcode.org/project/plausible_tracking",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.2",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benjamin Rasmussen (ras-ben)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
}
],
"datePublic": "2025-09-24T17:18:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Plausible tracking allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Plausible tracking: from 0.0.0 before 1.0.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Plausible tracking allows Cross-Site Scripting (XSS).This issue affects Plausible tracking: from 0.0.0 before 1.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T23:13:12.338Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-107"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Plausible tracking - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-107",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-10927",
"datePublished": "2025-10-29T23:13:12.338Z",
"dateReserved": "2025-09-24T16:53:10.724Z",
"dateUpdated": "2025-10-30T14:42:43.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10926 (GCVE-0-2025-10926)
Vulnerability from cvelistv5 – Published: 2025-10-29 23:12 – Updated: 2025-10-30 14:43
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal JSON Field allows Cross-Site Scripting (XSS).This issue affects JSON Field: from 0.0.0 before 1.5.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | JSON Field |
Affected:
0.0.0 , < 1.5
(semver)
|
Credits
Ivan (chi)
Ivan (chi)
Damien McKenna (damienmckenna)
Damien McKenna (damienmckenna)
Greg Knaddison (greggles)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10926",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:43:22.746888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:43:55.094Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/json_field",
"defaultStatus": "unaffected",
"product": "JSON Field",
"repo": "https://git.drupalcode.org/project/json_field",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.5",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ivan (chi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ivan (chi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
}
],
"datePublic": "2025-09-24T17:16:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal JSON Field allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects JSON Field: from 0.0.0 before 1.5.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal JSON Field allows Cross-Site Scripting (XSS).This issue affects JSON Field: from 0.0.0 before 1.5."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T23:12:56.914Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-106"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "JSON Field - Critical - Cross Site Scripting - SA-CONTRIB-2025-106",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-10926",
"datePublished": "2025-10-29T23:12:56.914Z",
"dateReserved": "2025-09-24T16:53:09.180Z",
"dateUpdated": "2025-10-30T14:43:55.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9954 (GCVE-0-2025-9954)
Vulnerability from cvelistv5 – Published: 2025-10-29 23:12 – Updated: 2025-10-30 14:45
VLAI?
Summary
Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing.This issue affects Acquia DAM: from 0.0.0 before 1.1.5.
Severity ?
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Acquia DAM |
Affected:
0.0.0 , < 1.1.5
(semver)
|
Credits
Brandon Goodwin (bgoodie)
Chris Burge (chris burge)
Todd Woofenden (toddwoof)
Chris Burge (chris burge)
Damien McKenna (damienmckenna)
Jakob P (japerry)
Todd Woofenden (toddwoof)
cilefen (cilefen)
Greg Knaddison (greggles)
Cathy Theys (yesct)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-9954",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:44:50.718831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:45:16.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/acquia_dam",
"defaultStatus": "unaffected",
"product": "Acquia DAM",
"repo": "https://git.drupalcode.org/project/acquia_dam",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.1.5",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Brandon Goodwin (bgoodie)"
},
{
"lang": "en",
"type": "finder",
"value": "Chris Burge (chris burge)"
},
{
"lang": "en",
"type": "finder",
"value": "Todd Woofenden (toddwoof)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Chris Burge (chris burge)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jakob P (japerry)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Todd Woofenden (toddwoof)"
},
{
"lang": "en",
"type": "coordinator",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Cathy Theys (yesct)"
}
],
"datePublic": "2025-09-03T16:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing.\u003cp\u003eThis issue affects Acquia DAM: from 0.0.0 before 1.1.5.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing.This issue affects Acquia DAM: from 0.0.0 before 1.1.5."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T23:12:41.751Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-105"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Acquia DAM - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-105",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-9954",
"datePublished": "2025-10-29T23:12:41.751Z",
"dateReserved": "2025-09-03T14:46:35.965Z",
"dateUpdated": "2025-10-30T14:45:16.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9554 (GCVE-0-2025-9554)
Vulnerability from cvelistv5 – Published: 2025-10-10 22:25 – Updated: 2025-10-15 19:22
VLAI?
Summary
Vulnerability in Drupal Owl Carousel 2.This issue affects Owl Carousel 2: *.*.
Severity ?
5.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Owl Carousel 2 |
Affected:
*.*
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-9554",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T19:21:52.261309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T19:22:29.982Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/owlcarousel2",
"defaultStatus": "unaffected",
"product": "Owl Carousel 2",
"repo": "https://git.drupalcode.org/project/owlcarousel2",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-08-27T17:20:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in Drupal Owl Carousel 2.\u003cp\u003eThis issue affects Owl Carousel 2: *.*.\u003c/p\u003e"
}
],
"value": "Vulnerability in Drupal Owl Carousel 2.This issue affects Owl Carousel 2: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T22:25:48.838Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-104"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Owl Carousel 2 - Critical - Unsupported - SA-CONTRIB-2025-104",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-9554",
"datePublished": "2025-10-10T22:25:48.838Z",
"dateReserved": "2025-08-27T16:08:35.387Z",
"dateUpdated": "2025-10-15T19:22:29.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9553 (GCVE-0-2025-9553)
Vulnerability from cvelistv5 – Published: 2025-10-10 22:25 – Updated: 2025-10-15 19:21
VLAI?
Summary
Vulnerability in Drupal API Key manager.This issue affects API Key manager: *.*.
Severity ?
5.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | API Key manager |
Affected:
*.*
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-9553",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T19:21:03.341495Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T19:21:28.347Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/api_key_manager",
"defaultStatus": "unaffected",
"product": "API Key manager",
"repo": "https://git.drupalcode.org/project/api_key_manager",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-08-27T17:20:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in Drupal API Key manager.\u003cp\u003eThis issue affects API Key manager: *.*.\u003c/p\u003e"
}
],
"value": "Vulnerability in Drupal API Key manager.This issue affects API Key manager: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T22:25:36.628Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-103"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "API Key manager - Critical - Unsupported - SA-CONTRIB-2025-103",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-9553",
"datePublished": "2025-10-10T22:25:36.628Z",
"dateReserved": "2025-08-27T16:08:34.423Z",
"dateUpdated": "2025-10-15T19:21:28.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9552 (GCVE-0-2025-9552)
Vulnerability from cvelistv5 – Published: 2025-10-10 22:25 – Updated: 2025-10-15 19:20
VLAI?
Summary
Vulnerability in Drupal Synchronize composer.Json With Contrib Modules.This issue affects Synchronize composer.Json With Contrib Modules: *.*.
Severity ?
5.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Synchronize composer.json With Contrib Modules |
Affected:
*.*
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-9552",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T19:19:47.673143Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T19:20:18.945Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/sync_composer_with_contrib",
"defaultStatus": "unaffected",
"product": "Synchronize composer.json With Contrib Modules",
"repo": "https://git.drupalcode.org/project/sync_composer_with_contrib",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "*.*",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-08-27T17:20:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in Drupal Synchronize composer.Json With Contrib Modules.\u003cp\u003eThis issue affects Synchronize composer.Json With Contrib Modules: *.*.\u003c/p\u003e"
}
],
"value": "Vulnerability in Drupal Synchronize composer.Json With Contrib Modules.This issue affects Synchronize composer.Json With Contrib Modules: *.*."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T22:25:22.179Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-102"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Synchronize composer.json With Contrib Modules - Critical - Unsupported - SA-CONTRIB-2025-102",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-9552",
"datePublished": "2025-10-10T22:25:22.179Z",
"dateReserved": "2025-08-27T16:08:33.327Z",
"dateUpdated": "2025-10-15T19:20:18.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9551 (GCVE-0-2025-9551)
Vulnerability from cvelistv5 – Published: 2025-10-10 22:24 – Updated: 2025-10-15 19:15
VLAI?
Summary
Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Protected Pages allows Brute Force.This issue affects Protected Pages: from 0.0.0 before 1.8.0.
Severity ?
6.5 (Medium)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Protected Pages |
Affected:
0.0.0 , < 1.8.0
(semver)
|
Credits
Pierre Rudloff (prudloff)
Oksana Cyrwus (oksana-c)
Ra Mänd (ram4nd)
Benji Fisher (benjifisher)
Damien McKenna (damienmckenna)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-9551",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T19:15:30.354799Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T19:15:49.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/protected_pages",
"defaultStatus": "unaffected",
"product": "Protected Pages",
"repo": "https://git.drupalcode.org/project/protected_pages",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Oksana Cyrwus (oksana-c)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-08-27T17:19:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Protected Pages allows Brute Force.\u003cp\u003eThis issue affects Protected Pages: from 0.0.0 before 1.8.0.\u003c/p\u003e"
}
],
"value": "Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Protected Pages allows Brute Force.This issue affects Protected Pages: from 0.0.0 before 1.8.0."
}
],
"impacts": [
{
"capecId": "CAPEC-112",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-112 Brute Force"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T22:24:59.070Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-101"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-9551",
"datePublished": "2025-10-10T22:24:59.070Z",
"dateReserved": "2025-08-27T16:08:32.347Z",
"dateUpdated": "2025-10-15T19:15:49.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9550 (GCVE-0-2025-9550)
Vulnerability from cvelistv5 – Published: 2025-10-10 22:24 – Updated: 2025-10-15 19:14
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Facets allows Cross-Site Scripting (XSS).This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Credits
Pierre Rudloff (prudloff)
Joris Vercammen (borisson_)
Thomas Seidl (drunken monkey)
Pierre Rudloff (prudloff)
Damien McKenna (damienmckenna)
Ivo Van Geertruyen (mr.baileys)
Pierre Rudloff (prudloff)
Drew Webber (mcdruid)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-9550",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T19:14:29.318638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T19:14:57.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/facets",
"defaultStatus": "unaffected",
"product": "Facets",
"repo": "https://git.drupalcode.org/project/facets",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.10",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "3.0.1",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joris Vercammen (borisson_)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Thomas Seidl (drunken monkey)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Ivo Van Geertruyen (mr.baileys)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2025-08-27T17:19:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Facets allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Facets allows Cross-Site Scripting (XSS).This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T22:24:34.606Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-100"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Facets - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-100",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-9550",
"datePublished": "2025-10-10T22:24:34.606Z",
"dateReserved": "2025-08-27T16:08:31.397Z",
"dateUpdated": "2025-10-15T19:14:57.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9549 (GCVE-0-2025-9549)
Vulnerability from cvelistv5 – Published: 2025-10-10 22:24 – Updated: 2025-10-15 19:12
VLAI?
Summary
Missing Authorization vulnerability in Drupal Facets allows Forceful Browsing.This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
Credits
Damien McKenna (damienmckenna)
Benji Fisher (benjifisher)
Joris Vercammen (borisson_)
Damien McKenna (damienmckenna)
Thomas Seidl (drunken monkey)
Jimmy Henderickx (strykaizer)
Benji Fisher (benjifisher)
Damien McKenna (damienmckenna)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Cathy Theys (yesct)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-9549",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T19:11:14.497532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T19:12:16.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/facets",
"defaultStatus": "unaffected",
"product": "Facets",
"repo": "https://git.drupalcode.org/project/facets",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.10",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "3.0.1",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joris Vercammen (borisson_)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Thomas Seidl (drunken monkey)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jimmy Henderickx (strykaizer)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Cathy Theys (yesct)"
}
],
"datePublic": "2025-08-27T17:19:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Drupal Facets allows Forceful Browsing.\u003cp\u003eThis issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Drupal Facets allows Forceful Browsing.This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T22:24:16.674Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-099"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Facets - Moderately critical - Information Disclosure - SA-CONTRIB-2025-099",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-9549",
"datePublished": "2025-10-10T22:24:16.674Z",
"dateReserved": "2025-08-27T16:08:30.544Z",
"dateUpdated": "2025-10-15T19:12:16.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8093 (GCVE-0-2025-8093)
Vulnerability from cvelistv5 – Published: 2025-10-10 22:23 – Updated: 2025-10-15 13:44
VLAI?
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.8.
Severity ?
8.8 (High)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Authenticator Login |
Affected:
0.0.0 , < 2.1.8
(semver)
|
Credits
Pierre Rudloff (prudloff)
Ahmed Raza (ahmed.raza)
Pierre Rudloff (prudloff)
Damien McKenna (damienmckenna)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Cathy Theys (yesct)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-8093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T13:44:17.127731Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T13:44:54.979Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/alogin",
"defaultStatus": "unaffected",
"product": "Authenticator Login",
"repo": "https://git.drupalcode.org/project/alogin",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.1.8",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ahmed Raza (ahmed.raza)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Cathy Theys (yesct)"
}
],
"datePublic": "2025-08-27T17:19:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.\u003cp\u003eThis issue affects Authenticator Login: from 0.0.0 before 2.1.8.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.8."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T22:23:57.718Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-098"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticator Login - Moderately critical - Access bypass - SA-CONTRIB-2025-098",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-8093",
"datePublished": "2025-10-10T22:23:57.718Z",
"dateReserved": "2025-07-23T16:28:08.397Z",
"dateUpdated": "2025-10-15T13:44:54.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8996 (GCVE-0-2025-8996)
Vulnerability from cvelistv5 – Published: 2025-08-15 16:27 – Updated: 2025-08-15 16:41
VLAI?
Summary
Missing Authorization vulnerability in Drupal Layout Builder Advanced Permissions allows Forceful Browsing.This issue affects Layout Builder Advanced Permissions: from 0.0.0 before 2.2.0.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Layout Builder Advanced Permissions |
Affected:
0.0.0 , < 2.2.0
(semver)
|
Credits
Eelke Blok (eelkeblok)
Michael Whittaker (mrwhittaker)
Eelke Blok (eelkeblok)
Sorin Dediu (sdstyles)
Sean Blommaert (seanb)
Anna Kalata (akalata)
Damien McKenna (damienmckenna)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Cathy Theys (yesct)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-8996",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-15T16:40:39.339474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T16:41:33.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/layout_builder_perms",
"defaultStatus": "unaffected",
"product": "Layout Builder Advanced Permissions",
"repo": "https://git.drupalcode.org/project/layout_builder_perms",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.2.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eelke Blok (eelkeblok)"
},
{
"lang": "en",
"type": "finder",
"value": "Michael Whittaker (mrwhittaker)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Eelke Blok (eelkeblok)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sorin Dediu (sdstyles)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sean Blommaert (seanb)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Anna Kalata (akalata)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Cathy Theys (yesct)"
}
],
"datePublic": "2025-08-13T17:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Drupal Layout Builder Advanced Permissions allows Forceful Browsing.\u003cp\u003eThis issue affects Layout Builder Advanced Permissions: from 0.0.0 before 2.2.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Drupal Layout Builder Advanced Permissions allows Forceful Browsing.This issue affects Layout Builder Advanced Permissions: from 0.0.0 before 2.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T16:27:53.342Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-097"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-8996",
"datePublished": "2025-08-15T16:27:53.342Z",
"dateReserved": "2025-08-13T17:30:32.002Z",
"dateUpdated": "2025-08-15T16:41:33.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8995 (GCVE-0-2025-8995)
Vulnerability from cvelistv5 – Published: 2025-08-15 16:27 – Updated: 2025-08-16 03:55
VLAI?
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.4.
Severity ?
9.8 (Critical)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Authenticator Login |
Affected:
0.0.0 , < 2.1.4
(semver)
|
Credits
Pierre Rudloff (prudloff)
Ahmed Raza (ahmed.raza)
Damien McKenna (damienmckenna)
Dan Smith (galooph)
Greg Knaddison (greggles)
Cathy Theys (yesct)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-8995",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-15T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T03:55:56.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/alogin",
"defaultStatus": "unaffected",
"product": "Authenticator Login",
"repo": "https://git.drupalcode.org/project/alogin",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ahmed Raza (ahmed.raza)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dan Smith (galooph)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Cathy Theys (yesct)"
}
],
"datePublic": "2025-08-13T17:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.\u003cp\u003eThis issue affects Authenticator Login: from 0.0.0 before 2.1.4.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.4."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T16:27:39.017Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-096"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-8995",
"datePublished": "2025-08-15T16:27:39.017Z",
"dateReserved": "2025-08-13T17:30:30.716Z",
"dateUpdated": "2025-08-16T03:55:56.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8675 (GCVE-0-2025-8675)
Vulnerability from cvelistv5 – Published: 2025-08-15 16:27 – Updated: 2025-08-15 16:47
VLAI?
Summary
Server-Side Request Forgery (SSRF) vulnerability in Drupal AI SEO Link Advisor allows Server Side Request Forgery.This issue affects AI SEO Link Advisor: from 0.0.0 before 1.0.6.
Severity ?
4.7 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | AI SEO Link Advisor |
Affected:
0.0.0 , < 1.0.6
(semver)
|
Credits
Alberto Cocchiara (bigbabert)
Conrad Lara (cmlara)
Alberto Cocchiara (bigbabert)
Conrad Lara (cmlara)
Vishal Kadam (vishal.kadam)
Benji Fisher (benjifisher)
catch (catch)
Damien McKenna (damienmckenna)
Greg Knaddison (greggles)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-8675",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-15T16:45:26.218405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T16:47:15.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/ai_seo_link_advisor",
"defaultStatus": "unaffected",
"product": "AI SEO Link Advisor",
"repo": "https://git.drupalcode.org/project/ai_seo_link_advisor",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.0.6",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alberto Cocchiara (bigbabert)"
},
{
"lang": "en",
"type": "finder",
"value": "Conrad Lara (cmlara)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alberto Cocchiara (bigbabert)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Conrad Lara (cmlara)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Vishal Kadam (vishal.kadam)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
}
],
"datePublic": "2025-08-06T16:50:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal AI SEO Link Advisor allows Server Side Request Forgery.\u003cp\u003eThis issue affects AI SEO Link Advisor: from 0.0.0 before 1.0.6.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal AI SEO Link Advisor allows Server Side Request Forgery.This issue affects AI SEO Link Advisor: from 0.0.0 before 1.0.6."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T16:27:21.147Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-095"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AI SEO Link Advisor - Less critical - Server-side Request Forgery - SA-CONTRIB-2025-095",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-8675",
"datePublished": "2025-08-15T16:27:21.147Z",
"dateReserved": "2025-08-06T16:26:07.494Z",
"dateUpdated": "2025-08-15T16:47:15.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8362 (GCVE-0-2025-8362)
Vulnerability from cvelistv5 – Published: 2025-08-15 16:27 – Updated: 2025-08-15 16:48
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal GoogleTag Manager allows Cross-Site Scripting (XSS).This issue affects GoogleTag Manager: from 0.0.0 before 1.10.0.
Severity ?
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | GoogleTag Manager |
Affected:
0.0.0 , < 1.10.0
(semver)
|
Credits
Pierre Rudloff (prudloff)
Anatoly Politsin (apolitsin)
Pierre Rudloff (prudloff)
Ivo Van Geertruyen (mr.baileys)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-8362",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-15T16:48:23.757433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T16:48:56.484Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/gtm",
"defaultStatus": "unaffected",
"product": "GoogleTag Manager",
"repo": "https://git.drupalcode.org/project/gtm",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.10.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Anatoly Politsin (apolitsin)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Ivo Van Geertruyen (mr.baileys)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-07-30T16:31:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal GoogleTag Manager allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects GoogleTag Manager: from 0.0.0 before 1.10.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal GoogleTag Manager allows Cross-Site Scripting (XSS).This issue affects GoogleTag Manager: from 0.0.0 before 1.10.0."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T16:27:05.226Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-094"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-8362",
"datePublished": "2025-08-15T16:27:05.226Z",
"dateReserved": "2025-07-30T16:03:42.334Z",
"dateUpdated": "2025-08-15T16:48:56.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8361 (GCVE-0-2025-8361)
Vulnerability from cvelistv5 – Published: 2025-08-15 16:26 – Updated: 2025-08-15 18:01
VLAI?
Summary
Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing.This issue affects Config Pages: from 0.0.0 before 2.18.0.
Severity ?
7.6 (High)
CWE
- CWE-962 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Config Pages |
Affected:
0.0.0 , < 2.18.0
(semver)
|
Credits
Pierre Rudloff (prudloff)
Pierre Rudloff (prudloff)
Alexander Shumenko (shumer)
Greg Knaddison (greggles)
Heine Deelstra (heine)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-8361",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-15T18:00:34.376857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T18:01:18.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/config_pages",
"defaultStatus": "unaffected",
"product": "Config Pages",
"repo": "https://git.drupalcode.org/project/config_pages",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.18.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alexander Shumenko (shumer)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Heine Deelstra (heine)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-07-30T16:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing.\u003cp\u003eThis issue affects Config Pages: from 0.0.0 before 2.18.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing.This issue affects Config Pages: from 0.0.0 before 2.18.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-962",
"description": "CWE-962 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T16:26:46.012Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-093"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Config Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-093",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-8361",
"datePublished": "2025-08-15T16:26:46.012Z",
"dateReserved": "2025-07-30T16:03:41.028Z",
"dateUpdated": "2025-08-15T18:01:18.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8092 (GCVE-0-2025-8092)
Vulnerability from cvelistv5 – Published: 2025-08-15 16:26 – Updated: 2025-08-15 18:13
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.16.
Severity ?
7.6 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | COOKiES Consent Management |
Affected:
0.0.0 , < 1.2.16
(semver)
|
Credits
Pierre Rudloff (prudloff)
Joshua Sedler (grevil)
Joachim Feltkamp (jfeltkamp)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Pierre Rudloff (prudloff)
Cathy Theys (yesct)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-8092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-15T18:10:18.330643Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T18:13:13.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/cookies",
"defaultStatus": "unaffected",
"product": "COOKiES Consent Management",
"repo": "https://git.drupalcode.org/project/cookies",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.2.16",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joshua Sedler (grevil)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joachim Feltkamp (jfeltkamp)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Cathy Theys (yesct)"
}
],
"datePublic": "2025-07-23T17:10:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects COOKiES Consent Management: from 0.0.0 before 1.2.16.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.16."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T16:26:27.480Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-092"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-8092",
"datePublished": "2025-08-15T16:26:27.480Z",
"dateReserved": "2025-07-23T16:28:07.563Z",
"dateUpdated": "2025-08-15T18:13:13.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}