Search criteria
4 vulnerabilities found for CivicTheme Design System by Drupal
CVE-2025-12083 (GCVE-0-2025-12083)
Vulnerability from nvd – Published: 2025-10-29 23:14 – Updated: 2025-10-30 14:40
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | CivicTheme Design System |
Affected:
0.0.0 , < 1.12.0
(semver)
|
Credits
Adam Bramley (acbramley)
Lee Rowlands (larowlan)
Alan Cole (alan.cole)
Daniel (danielgry)
Fiona Morrison (fionamorrison23)
Suchi Garg (gargsuchi)
Lee Rowlands (larowlan)
Richard Gaunt (richardgaunt)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Drew Webber (mcdruid)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:39:43.077712Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:40:11.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/civictheme",
"defaultStatus": "unaffected",
"product": "CivicTheme Design System",
"repo": "https://git.drupalcode.org/project/civictheme",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.12.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Bramley (acbramley)"
},
{
"lang": "en",
"type": "finder",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alan Cole (alan.cole)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Daniel (danielgry)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Fiona Morrison (fionamorrison23)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Suchi Garg (gargsuchi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Richard Gaunt (richardgaunt)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2025-10-22T16:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T23:14:33.900Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-113"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-12083",
"datePublished": "2025-10-29T23:14:33.900Z",
"dateReserved": "2025-10-22T16:06:23.591Z",
"dateUpdated": "2025-10-30T14:40:11.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12082 (GCVE-0-2025-12082)
Vulnerability from nvd – Published: 2025-10-29 23:14 – Updated: 2025-10-30 14:41
VLAI?
Summary
Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing.This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
Severity ?
7.5 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | CivicTheme Design System |
Affected:
0.0.0 , < 1.12.0
(semver)
|
Credits
Lee Rowlands (larowlan)
Alan Cole (alan.cole)
Daniel (danielgry)
Fiona Morrison (fionamorrison23)
Suchi Garg (gargsuchi)
Joshua Fernandes (joshua1234511)
Lee Rowlands (larowlan)
Richard Gaunt (richardgaunt)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Drew Webber (mcdruid)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:41:02.629401Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:41:28.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/civictheme",
"defaultStatus": "unaffected",
"product": "CivicTheme Design System",
"repo": "https://git.drupalcode.org/project/civictheme",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.12.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alan Cole (alan.cole)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Daniel (danielgry)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Fiona Morrison (fionamorrison23)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Suchi Garg (gargsuchi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joshua Fernandes (joshua1234511)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Richard Gaunt (richardgaunt)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2025-10-22T16:34:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing.\u003cp\u003eThis issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing.This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T23:14:19.017Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-112"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CivicTheme Design System - Moderately critical - Information disclosure - SA-CONTRIB-2025-112",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-12082",
"datePublished": "2025-10-29T23:14:19.017Z",
"dateReserved": "2025-10-22T16:06:21.893Z",
"dateUpdated": "2025-10-30T14:41:28.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12083 (GCVE-0-2025-12083)
Vulnerability from cvelistv5 – Published: 2025-10-29 23:14 – Updated: 2025-10-30 14:40
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | CivicTheme Design System |
Affected:
0.0.0 , < 1.12.0
(semver)
|
Credits
Adam Bramley (acbramley)
Lee Rowlands (larowlan)
Alan Cole (alan.cole)
Daniel (danielgry)
Fiona Morrison (fionamorrison23)
Suchi Garg (gargsuchi)
Lee Rowlands (larowlan)
Richard Gaunt (richardgaunt)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Drew Webber (mcdruid)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:39:43.077712Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:40:11.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/civictheme",
"defaultStatus": "unaffected",
"product": "CivicTheme Design System",
"repo": "https://git.drupalcode.org/project/civictheme",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.12.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Bramley (acbramley)"
},
{
"lang": "en",
"type": "finder",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alan Cole (alan.cole)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Daniel (danielgry)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Fiona Morrison (fionamorrison23)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Suchi Garg (gargsuchi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Richard Gaunt (richardgaunt)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2025-10-22T16:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting (XSS).This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T23:14:33.900Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-113"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-12083",
"datePublished": "2025-10-29T23:14:33.900Z",
"dateReserved": "2025-10-22T16:06:23.591Z",
"dateUpdated": "2025-10-30T14:40:11.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12082 (GCVE-0-2025-12082)
Vulnerability from cvelistv5 – Published: 2025-10-29 23:14 – Updated: 2025-10-30 14:41
VLAI?
Summary
Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing.This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
Severity ?
7.5 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | CivicTheme Design System |
Affected:
0.0.0 , < 1.12.0
(semver)
|
Credits
Lee Rowlands (larowlan)
Alan Cole (alan.cole)
Daniel (danielgry)
Fiona Morrison (fionamorrison23)
Suchi Garg (gargsuchi)
Joshua Fernandes (joshua1234511)
Lee Rowlands (larowlan)
Richard Gaunt (richardgaunt)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Drew Webber (mcdruid)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:41:02.629401Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:41:28.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/civictheme",
"defaultStatus": "unaffected",
"product": "CivicTheme Design System",
"repo": "https://git.drupalcode.org/project/civictheme",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.12.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alan Cole (alan.cole)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Daniel (danielgry)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Fiona Morrison (fionamorrison23)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Suchi Garg (gargsuchi)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joshua Fernandes (joshua1234511)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Richard Gaunt (richardgaunt)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2025-10-22T16:34:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing.\u003cp\u003eThis issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing.This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T23:14:19.017Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-112"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CivicTheme Design System - Moderately critical - Information disclosure - SA-CONTRIB-2025-112",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-12082",
"datePublished": "2025-10-29T23:14:19.017Z",
"dateReserved": "2025-10-22T16:06:21.893Z",
"dateUpdated": "2025-10-30T14:41:28.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}