Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2025-0978
Vulnerability from csaf_certbund - Published: 2025-05-07 22:00 - Updated: 2025-05-19 22:00Summary
Drupal Erweiterungen: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Drupal ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. Über zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.
Angriff
Ein Angreifer kann mehrere Schwachstellen in verschiedenen Drupal Erweiterungen ausnutzen, um Dateien zu manipulieren, Cross-Site-Scripting-Angriffe durchzuführen und Sicherheitsmaßnahmen zu umgehen.
Betroffene Betriebssysteme
- Sonstiges
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Drupal ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. \u00dcber zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in verschiedenen Drupal Erweiterungen ausnutzen, um Dateien zu manipulieren, Cross-Site-Scripting-Angriffe durchzuf\u00fchren und Sicherheitsma\u00dfnahmen zu umgehen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-0978 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0978.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-0978 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0978"
},
{
"category": "external",
"summary": "Drupal Security Advisory vom 2025-05-07",
"url": "https://www.drupal.org/sa-contrib-2025-047"
},
{
"category": "external",
"summary": "Drupal Security Advisory vom 2025-05-07",
"url": "https://www.drupal.org/sa-contrib-2025-048"
},
{
"category": "external",
"summary": "Drupal Security Advisory vom 2025-05-07",
"url": "https://www.drupal.org/sa-contrib-2025-049"
},
{
"category": "external",
"summary": "Drupal Security Advisory vom 2025-05-07",
"url": "https://www.drupal.org/sa-contrib-2025-050"
},
{
"category": "external",
"summary": "Drupal Security Advisory vom 2025-05-07",
"url": "https://www.drupal.org/sa-contrib-2025-051"
},
{
"category": "external",
"summary": "Drupal Security Advisory vom 2025-05-07",
"url": "https://www.drupal.org/sa-contrib-2025-052"
},
{
"category": "external",
"summary": "Drupal Security Advisory vom 2025-05-07",
"url": "https://www.drupal.org/sa-contrib-2025-053"
},
{
"category": "external",
"summary": "Drupal Security Advisory vom 2025-05-07",
"url": "https://www.drupal.org/sa-contrib-2025-054"
},
{
"category": "external",
"summary": "Drupal Security Advisory vom 2025-05-07",
"url": "https://www.drupal.org/sa-contrib-2025-055"
},
{
"category": "external",
"summary": "Drupal Security Advisory vom 2025-05-07",
"url": "https://www.drupal.org/sa-contrib-2025-056"
}
],
"source_lang": "en-US",
"title": "Drupal Erweiterungen: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-05-19T22:00:00.000+00:00",
"generator": {
"date": "2025-05-20T07:42:51.481+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.12"
}
},
"id": "WID-SEC-W-2025-0978",
"initial_release_date": "2025-05-07T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-05-07T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-05-15T22:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2025-14926, EUVD-2025-14932, EUVD-2025-14929"
},
{
"date": "2025-05-19T22:00:00.000+00:00",
"number": "3",
"summary": "Referenz(en) aufgenommen: EUVD-2025-14927, EUVD-2025-14924, EUVD-2025-14928"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Restrict route by IP \u003c1.3.0",
"product": {
"name": "Open Source Drupal Restrict route by IP \u003c1.3.0",
"product_id": "T043476"
}
},
{
"category": "product_version",
"name": "Restrict route by IP 1.3.0",
"product": {
"name": "Open Source Drupal Restrict route by IP 1.3.0",
"product_id": "T043476-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:drupal:drupal:restrict_route_by_ip__1.3.0"
}
}
},
{
"category": "product_version_range",
"name": "oEmbed Providers \u003c2.2.2",
"product": {
"name": "Open Source Drupal oEmbed Providers \u003c2.2.2",
"product_id": "T043477"
}
},
{
"category": "product_version",
"name": "oEmbed Providers 2.2.2",
"product": {
"name": "Open Source Drupal oEmbed Providers 2.2.2",
"product_id": "T043477-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:drupal:drupal:oembed_providers__2.2.2"
}
}
},
{
"category": "product_version_range",
"name": "COOKiES Consent Management \u003c1.2.14",
"product": {
"name": "Open Source Drupal COOKiES Consent Management \u003c1.2.14",
"product_id": "T043478"
}
},
{
"category": "product_version",
"name": "COOKiES Consent Management 1.2.14",
"product": {
"name": "Open Source Drupal COOKiES Consent Management 1.2.14",
"product_id": "T043478-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:drupal:drupal:cookies_consent_management__1.2.14"
}
}
},
{
"category": "product_name",
"name": "Open Source Drupal Klaro Cookie \u0026 Consent Management \u003c3.0.5",
"product": {
"name": "Open Source Drupal Klaro Cookie \u0026 Consent Management \u003c3.0.5",
"product_id": "T043479",
"product_identification_helper": {
"cpe": "cpe:/a:drupal:drupal:klaro_cookie__consent_management__3.0.5"
}
}
},
{
"category": "product_name",
"name": "Open Source Drupal Klaro Cookie \u0026 Consent Management 3.0.5",
"product": {
"name": "Open Source Drupal Klaro Cookie \u0026 Consent Management 3.0.5",
"product_id": "T043479-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:drupal:drupal:klaro_cookie__consent_management__3.0.5"
}
}
},
{
"category": "product_version_range",
"name": "IFrame Remove Filter \u003c2.0.5",
"product": {
"name": "Open Source Drupal IFrame Remove Filter \u003c2.0.5",
"product_id": "T043480"
}
},
{
"category": "product_version",
"name": "IFrame Remove Filter 2.0.5",
"product": {
"name": "Open Source Drupal IFrame Remove Filter 2.0.5",
"product_id": "T043480-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:drupal:drupal:iframe_remove_filter__2.0.5"
}
}
},
{
"category": "product_version_range",
"name": "Enterprise MFA-TFA for Drupal \u003c5.2.0",
"product": {
"name": "Open Source Drupal Enterprise MFA-TFA for Drupal \u003c5.2.0",
"product_id": "T043481"
}
},
{
"category": "product_version",
"name": "Enterprise MFA-TFA for Drupal 5.2.0",
"product": {
"name": "Open Source Drupal Enterprise MFA-TFA for Drupal 5.2.0",
"product_id": "T043481-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:drupal:drupal:enterprise_mfa_-_tfa_for_drupal__5.2.0"
}
}
},
{
"category": "product_version_range",
"name": "Enterprise MFA-TFA for Drupal \u003c8.x-4.7",
"product": {
"name": "Open Source Drupal Enterprise MFA-TFA for Drupal \u003c8.x-4.7",
"product_id": "T043483"
}
},
{
"category": "product_version",
"name": "Enterprise MFA-TFA for Drupal 8.x-4.7",
"product": {
"name": "Open Source Drupal Enterprise MFA-TFA for Drupal 8.x-4.7",
"product_id": "T043483-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:drupal:drupal:enterprise_mfa_-_tfa_for_drupal__8.x-4.7"
}
}
}
],
"category": "product_name",
"name": "Drupal"
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47701",
"product_status": {
"known_affected": [
"T043476"
]
},
"release_date": "2025-05-07T22:00:00.000+00:00",
"title": "CVE-2025-47701"
},
{
"cve": "CVE-2025-47702",
"product_status": {
"known_affected": [
"T043477"
]
},
"release_date": "2025-05-07T22:00:00.000+00:00",
"title": "CVE-2025-47702"
},
{
"cve": "CVE-2025-47703",
"product_status": {
"known_affected": [
"T043478"
]
},
"release_date": "2025-05-07T22:00:00.000+00:00",
"title": "CVE-2025-47703"
},
{
"cve": "CVE-2025-47704",
"product_status": {
"known_affected": [
"T043479"
]
},
"release_date": "2025-05-07T22:00:00.000+00:00",
"title": "CVE-2025-47704"
},
{
"cve": "CVE-2025-47705",
"product_status": {
"known_affected": [
"T043480"
]
},
"release_date": "2025-05-07T22:00:00.000+00:00",
"title": "CVE-2025-47705"
},
{
"cve": "CVE-2025-47706",
"product_status": {
"known_affected": [
"T043481",
"T043483"
]
},
"release_date": "2025-05-07T22:00:00.000+00:00",
"title": "CVE-2025-47706"
},
{
"cve": "CVE-2025-47707",
"product_status": {
"known_affected": [
"T043481",
"T043483"
]
},
"release_date": "2025-05-07T22:00:00.000+00:00",
"title": "CVE-2025-47707"
},
{
"cve": "CVE-2025-47709",
"product_status": {
"known_affected": [
"T043481",
"T043483"
]
},
"release_date": "2025-05-07T22:00:00.000+00:00",
"title": "CVE-2025-47709"
},
{
"cve": "CVE-2025-47710",
"product_status": {
"known_affected": [
"T043481",
"T043483"
]
},
"release_date": "2025-05-07T22:00:00.000+00:00",
"title": "CVE-2025-47710"
},
{
"cve": "CVE-2025-47708",
"product_status": {
"known_affected": [
"T043481",
"T043483"
]
},
"release_date": "2025-05-07T22:00:00.000+00:00",
"title": "CVE-2025-47708"
}
]
}
CVE-2025-47707 (GCVE-0-2025-47707)
Vulnerability from cvelistv5 – Published: 2025-05-14 17:03 – Updated: 2025-05-15 14:29
VLAI?
EPSS
Title
Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-053
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.
Severity ?
7.5 (High)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Enterprise MFA - TFA for Drupal |
Affected:
0.0.0 , < 4.7.0
(semver)
Affected: 5.0.0 , < 5.2.0 (semver) |
Credits
Conrad Lara (cmlara)
Sudhanshu Dhage (sudhanshu0542)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47707",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T14:25:23.866914Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T14:29:37.021Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/miniorange_2fa",
"defaultStatus": "unaffected",
"product": "Enterprise MFA - TFA for Drupal",
"repo": "https://git.drupalcode.org/project/miniorange_2fa",
"vendor": "Drupal",
"versions": [
{
"lessThan": "4.7.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "5.2.0",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Conrad Lara (cmlara)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sudhanshu Dhage (sudhanshu0542)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-05-07T17:07:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.\u003cp\u003eThis issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T17:03:02.330Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-053"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-053",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-47707",
"datePublished": "2025-05-14T17:03:02.330Z",
"dateReserved": "2025-05-07T16:02:44.265Z",
"dateUpdated": "2025-05-15T14:29:37.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47703 (GCVE-0-2025-47703)
Vulnerability from cvelistv5 – Published: 2025-05-14 17:01 – Updated: 2025-05-20 16:20
VLAI?
EPSS
Title
COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-049
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.14.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | COOKiES Consent Management |
Affected:
0.0.0 , < 1.2.14
(semver)
|
Credits
Pierre Rudloff (prudloff)
Joachim Feltkamp (jfeltkamp)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-20T16:11:31.021829Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T16:20:57.033Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/cookies",
"defaultStatus": "unaffected",
"product": "COOKiES Consent Management",
"repo": "https://git.drupalcode.org/project/cookies",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.2.14",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joachim Feltkamp (jfeltkamp)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-05-07T17:06:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects COOKiES Consent Management: from 0.0.0 before 1.2.14.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.14."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T17:01:49.816Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-049"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-049",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-47703",
"datePublished": "2025-05-14T17:01:49.816Z",
"dateReserved": "2025-05-07T16:02:44.264Z",
"dateUpdated": "2025-05-20T16:20:57.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47701 (GCVE-0-2025-47701)
Vulnerability from cvelistv5 – Published: 2025-05-14 17:01 – Updated: 2025-05-20 16:19
VLAI?
EPSS
Title
Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Restrict route by IP allows Cross Site Request Forgery.This issue affects Restrict route by IP: from 0.0.0 before 1.3.0.
Severity ?
8.8 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Restrict route by IP |
Affected:
0.0.0 , < 1.3.0
(semver)
|
Credits
Juraj Nemec (poker10)
lozbes
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-20T15:41:36.584469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T16:19:12.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/restrict_route_by_ip",
"defaultStatus": "unaffected",
"product": "Restrict route by IP",
"repo": "https://git.drupalcode.org/project/restrict_route_by_ip",
"vendor": "Drupal",
"versions": [
{
"lessThan": "1.3.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "lozbes"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-05-07T17:06:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Restrict route by IP allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Restrict route by IP: from 0.0.0 before 1.3.0.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Restrict route by IP allows Cross Site Request Forgery.This issue affects Restrict route by IP: from 0.0.0 before 1.3.0."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T17:01:18.960Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-047"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-47701",
"datePublished": "2025-05-14T17:01:18.960Z",
"dateReserved": "2025-05-07T16:02:44.264Z",
"dateUpdated": "2025-05-20T16:19:12.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47705 (GCVE-0-2025-47705)
Vulnerability from cvelistv5 – Published: 2025-05-14 17:02 – Updated: 2025-05-15 14:33
VLAI?
EPSS
Title
IFrame Remove Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-051
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal IFrame Remove Filter allows Cross-Site Scripting (XSS).This issue affects IFrame Remove Filter: from 0.0.0 before 2.0.5.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | IFrame Remove Filter |
Affected:
0.0.0 , < 2.0.5
(semver)
|
Credits
Pierre Rudloff (prudloff)
Bálint Nagy (nagy.balint)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Pierre Rudloff (prudloff)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47705",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T14:32:08.677479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T14:33:21.343Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/iframeremove",
"defaultStatus": "unaffected",
"product": "IFrame Remove Filter",
"repo": "https://git.drupalcode.org/project/iframeremove",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.5",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "B\u00c3\u00a1lint Nagy (nagy.balint)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2025-05-07T17:07:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal IFrame Remove Filter allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects IFrame Remove Filter: from 0.0.0 before 2.0.5.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal IFrame Remove Filter allows Cross-Site Scripting (XSS).This issue affects IFrame Remove Filter: from 0.0.0 before 2.0.5."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T17:02:25.341Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-051"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IFrame Remove Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-051",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-47705",
"datePublished": "2025-05-14T17:02:25.341Z",
"dateReserved": "2025-05-07T16:02:44.264Z",
"dateUpdated": "2025-05-15T14:33:21.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47709 (GCVE-0-2025-47709)
Vulnerability from cvelistv5 – Published: 2025-05-14 17:03 – Updated: 2025-05-19 14:29
VLAI?
EPSS
Title
Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-055
Summary
Missing Authorization vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Forceful Browsing.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Enterprise MFA - TFA for Drupal |
Affected:
0.0.0 , < 4.7.0
(semver)
Affected: 5.0.0 , < 5.2.0 (semver) |
Credits
Juraj Nemec (poker10)
Sudhanshu Dhage (sudhanshu0542)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47709",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T14:28:51.253078Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T14:29:13.199Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/miniorange_2fa",
"defaultStatus": "unaffected",
"product": "Enterprise MFA - TFA for Drupal",
"repo": "https://git.drupalcode.org/project/miniorange_2fa",
"vendor": "Drupal",
"versions": [
{
"lessThan": "4.7.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "5.2.0",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sudhanshu Dhage (sudhanshu0542)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-05-07T17:07:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Forceful Browsing.\u003cp\u003eThis issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Forceful Browsing.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T17:03:28.895Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-055"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-055",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-47709",
"datePublished": "2025-05-14T17:03:28.895Z",
"dateReserved": "2025-05-07T16:02:44.265Z",
"dateUpdated": "2025-05-19T14:29:13.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47706 (GCVE-0-2025-47706)
Vulnerability from cvelistv5 – Published: 2025-05-14 17:02 – Updated: 2025-05-19 14:27
VLAI?
EPSS
Title
Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-052
Summary
Authentication Bypass by Capture-replay vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Remote Services with Stolen Credentials.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.
Severity ?
4.8 (Medium)
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Enterprise MFA - TFA for Drupal |
Affected:
0.0.0 , < 4.7.0
(semver)
Affected: 5.0.0 , < 5.2.0 (semver) |
Credits
Conrad Lara (cmlara)
Sudhanshu Dhage (sudhanshu0542)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47706",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T14:26:27.918933Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T14:27:48.058Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/miniorange_2fa",
"defaultStatus": "unaffected",
"product": "Enterprise MFA - TFA for Drupal",
"repo": "https://git.drupalcode.org/project/miniorange_2fa",
"vendor": "Drupal",
"versions": [
{
"lessThan": "4.7.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "5.2.0",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Conrad Lara (cmlara)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sudhanshu Dhage (sudhanshu0542)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-05-07T17:07:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass by Capture-replay vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Remote Services with Stolen Credentials.\u003cp\u003eThis issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.\u003c/p\u003e"
}
],
"value": "Authentication Bypass by Capture-replay vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Remote Services with Stolen Credentials.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-555",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-555 Remote Services with Stolen Credentials"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294 Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T17:02:44.744Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-052"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-052",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-47706",
"datePublished": "2025-05-14T17:02:44.744Z",
"dateReserved": "2025-05-07T16:02:44.265Z",
"dateUpdated": "2025-05-19T14:27:48.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47702 (GCVE-0-2025-47702)
Vulnerability from cvelistv5 – Published: 2025-05-14 17:01 – Updated: 2025-05-15 14:36
VLAI?
EPSS
Title
oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal oEmbed Providers allows Cross-Site Scripting (XSS).This issue affects oEmbed Providers: from 0.0.0 before 2.2.2.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | oEmbed Providers |
Affected:
0.0.0 , < 2.2.2
(semver)
|
Credits
Pierre Rudloff (prudloff)
Chris Burge (chris burge)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T14:34:17.913764Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T14:36:03.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/oembed_providers",
"defaultStatus": "unaffected",
"product": "oEmbed Providers",
"repo": "https://git.drupalcode.org/project/oembed_providers",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.2.2",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Chris Burge (chris burge)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-05-07T17:06:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal oEmbed Providers allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects oEmbed Providers: from 0.0.0 before 2.2.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal oEmbed Providers allows Cross-Site Scripting (XSS).This issue affects oEmbed Providers: from 0.0.0 before 2.2.2."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T17:01:36.012Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-048"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-47702",
"datePublished": "2025-05-14T17:01:36.012Z",
"dateReserved": "2025-05-07T16:02:44.264Z",
"dateUpdated": "2025-05-15T14:36:03.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47708 (GCVE-0-2025-47708)
Vulnerability from cvelistv5 – Published: 2025-05-14 17:03 – Updated: 2025-05-20 16:17
VLAI?
EPSS
Title
Enterprise MFA - TFA for Drupal - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-054
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Cross Site Request Forgery.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.
Severity ?
8.8 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Enterprise MFA - TFA for Drupal |
Affected:
0.0.0 , < 4.7.0
(semver)
Affected: 5.0.0 , < 5.2.0 (semver) |
Credits
Juraj Nemec (poker10)
Sudhanshu Dhage (sudhanshu0542)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47708",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-20T15:42:53.200097Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T16:17:25.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/miniorange_2fa",
"defaultStatus": "unaffected",
"product": "Enterprise MFA - TFA for Drupal",
"repo": "https://git.drupalcode.org/project/miniorange_2fa",
"vendor": "Drupal",
"versions": [
{
"lessThan": "4.7.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "5.2.0",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sudhanshu Dhage (sudhanshu0542)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-05-07T17:07:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Cross Site Request Forgery.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T17:03:14.838Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-054"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Enterprise MFA - TFA for Drupal - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-054",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-47708",
"datePublished": "2025-05-14T17:03:14.838Z",
"dateReserved": "2025-05-07T16:02:44.265Z",
"dateUpdated": "2025-05-20T16:17:25.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47704 (GCVE-0-2025-47704)
Vulnerability from cvelistv5 – Published: 2025-05-14 17:02 – Updated: 2025-05-20 16:20
VLAI?
EPSS
Title
Klaro Cookie & Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-050
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Klaro Cookie & Consent Management allows Cross-Site Scripting (XSS).This issue affects Klaro Cookie & Consent Management: from 0.0.0 before 3.0.5.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Klaro Cookie & Consent Management |
Affected:
0.0.0 , < 3.0.5
(semver)
|
Credits
Pierre Rudloff (prudloff)
Jan Kellermann (jan kellermann)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
Pierre Rudloff (prudloff)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47704",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-20T16:11:54.948296Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T16:20:22.120Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/klaro",
"defaultStatus": "unaffected",
"product": "Klaro Cookie \u0026 Consent Management",
"repo": "https://git.drupalcode.org/project/klaro",
"vendor": "Drupal",
"versions": [
{
"lessThan": "3.0.5",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff (prudloff)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jan Kellermann (jan kellermann)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Pierre Rudloff (prudloff)"
}
],
"datePublic": "2025-05-07T17:06:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Klaro Cookie \u0026amp; Consent Management allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Klaro Cookie \u0026amp; Consent Management: from 0.0.0 before 3.0.5.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Klaro Cookie \u0026 Consent Management allows Cross-Site Scripting (XSS).This issue affects Klaro Cookie \u0026 Consent Management: from 0.0.0 before 3.0.5."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T17:02:09.877Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-050"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Klaro Cookie \u0026 Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-050",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-47704",
"datePublished": "2025-05-14T17:02:09.877Z",
"dateReserved": "2025-05-07T16:02:44.264Z",
"dateUpdated": "2025-05-20T16:20:22.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47710 (GCVE-0-2025-47710)
Vulnerability from cvelistv5 – Published: 2025-05-14 17:03 – Updated: 2025-05-19 14:31
VLAI?
EPSS
Title
Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-056
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.
Severity ?
7.4 (High)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Enterprise MFA - TFA for Drupal |
Affected:
0.0.0 , < 4.7.0
(semver)
Affected: 5.0.0 , < 5.2.0 (semver) |
Credits
Conrad Lara (cmlara)
Sudhanshu Dhage (sudhanshu0542)
Greg Knaddison (greggles)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47710",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T14:30:59.856706Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T14:31:38.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/miniorange_2fa",
"defaultStatus": "unaffected",
"product": "Enterprise MFA - TFA for Drupal",
"repo": "https://git.drupalcode.org/project/miniorange_2fa",
"vendor": "Drupal",
"versions": [
{
"lessThan": "4.7.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "5.2.0",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Conrad Lara (cmlara)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sudhanshu Dhage (sudhanshu0542)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-05-07T17:08:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.\u003cp\u003eThis issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T17:03:48.714Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-056"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-056",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-47710",
"datePublished": "2025-05-14T17:03:48.714Z",
"dateReserved": "2025-05-07T16:02:44.265Z",
"dateUpdated": "2025-05-19T14:31:38.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…