CVE-2025-31673 - Vulnerability Details - OpenCVE

Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Drupal	Drupal

Configuration 1 [-]

OR	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.drupal.org/sa-core-2025-002

History

Mon, 02 Jun 2025 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Drupal Drupal drupal
CPEs		cpe:2.3:a:drupal:drupal::::::::
Vendors & Products		Drupal Drupal drupal

Tue, 29 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 31 Mar 2025 21:45:00 +0000

Type	Values Removed	Values Added
Description		Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
Title		Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002
Weaknesses		CWE-863
References		https://www.drupal.org/sa-core-2025-002

MITRE

Status: PUBLISHED

Assigner: drupal

Published: 2025-03-31T21:34:16.118Z

Updated: 2025-04-29T15:47:25.459Z

Reserved: 2025-03-31T21:30:04.614Z

Link: CVE-2025-31673

Vulnrichment

Updated: 2025-04-29T15:46:58.633Z

NVD

Status : Analyzed

Published: 2025-03-31T22:15:19.773

Modified: 2025-06-02T16:25:04.353

Link: CVE-2025-31673

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-31673", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2025-03-31T21:30:04.614Z", "datePublished": "2025-03-31T21:34:16.118Z", "dateUpdated": "2025-04-29T15:47:25.459Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://www.drupal.org/project/drupal", "defaultStatus": "unaffected", "product": "Drupal core", "repo": "https://git.drupalcode.org/project/drupal", "vendor": "Drupal", "versions": [{"lessThan": "10.3.13", "status": "affected", "version": "8.0.0", "versionType": "semver"}, {"lessThan": "10.4.3", "status": "affected", "version": "10.4.0", "versionType": "semver"}, {"lessThan": "11.0.12", "status": "affected", "version": "11.0.0", "versionType": "semver"}, {"lessThan": "11.1.3", "status": "affected", "version": "11.1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "jeff cardwell"}, {"lang": "en", "type": "remediation developer", "value": "Benji Fisher (benjifisher)"}, {"lang": "en", "type": "remediation developer", "value": "jeff cardwell"}, {"lang": "en", "type": "remediation developer", "value": "Mingsong (mingsong)"}, {"lang": "en", "type": "remediation developer", "value": "Juraj Nemec (poker10)"}], "datePublic": "2025-02-19T16:58:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.<p>This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.</p>"}], "value": "Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3."}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2025-03-31T21:34:16.118Z"}, "references": [{"url": "https://www.drupal.org/sa-core-2025-002"}], "source": {"discovery": "UNKNOWN"}, "title": "Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-29T15:47:04.474198Z", "id": "CVE-2025-31673", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-29T15:47:25.459Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-31673", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-29T15:47:04.474198Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-29T15:46:58.633Z"}}], "cna": {"title": "Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "jeff cardwell"}, {"lang": "en", "type": "remediation developer", "value": "Benji Fisher (benjifisher)"}, {"lang": "en", "type": "remediation developer", "value": "jeff cardwell"}, {"lang": "en", "type": "remediation developer", "value": "Mingsong (mingsong)"}, {"lang": "en", "type": "remediation developer", "value": "Juraj Nemec (poker10)"}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/drupal", "vendor": "Drupal", "product": "Drupal core", "versions": [{"status": "affected", "version": "8.0.0", "lessThan": "10.3.13", "versionType": "semver"}, {"status": "affected", "version": "10.4.0", "lessThan": "10.4.3", "versionType": "semver"}, {"status": "affected", "version": "11.0.0", "lessThan": "11.0.12", "versionType": "semver"}, {"status": "affected", "version": "11.1.0", "lessThan": "11.1.3", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/drupal", "defaultStatus": "unaffected"}], "datePublic": "2025-02-19T16:58:00.000Z", "references": [{"url": "https://www.drupal.org/sa-core-2025-002"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.<p>This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2025-03-31T21:34:16.118Z"}}}, "cveMetadata": {"cveId": "CVE-2025-31673", "state": "PUBLISHED", "dateUpdated": "2025-04-29T15:47:25.459Z", "dateReserved": "2025-03-31T21:30:04.614Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2025-03-31T21:34:16.118Z", "assignerShortName": "drupal"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "61A4CA72-F83D-442A-9139-A2181856DBA2", "versionEndExcluding": "10.3.13", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "995C04AD-296A-458A-B7BF-D23212E152E1", "versionEndExcluding": "10.4.3", "versionStartIncluding": "10.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "249BE2B2-4C47-471B-99C4-F9E88984E13E", "versionEndExcluding": "11.0.12", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "3C6BF080-5C8B-4047-9EB2-1983E49C3744", "versionEndExcluding": "11.1.3", "versionStartIncluding": "11.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en Drupal Drupal core permite la navegaci\u00f3n forzada. Este problema afecta al n\u00facleo de Drupal: desde 8.0.0 antes de 10.3.13, desde 10.4.0 antes de 10.4.3, desde 11.0.0 antes de 11.0.12, desde 11.1.0 antes de 11.1.3."}], "id": "CVE-2025-31673", "lastModified": "2025-06-02T16:25:04.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-03-31T22:15:19.773", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-core-2025-002"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "mlhess@drupal.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}