CVE-2025-13083
published 2025-11-18CVE-2025-13083: Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security…
PriorityP416low3.7CVSS 3.1
AVNACHPRNUINSUCLINAN
EPSS
0.24%
15.4th percentile
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 10.5.0 < 10.5.6 | 10.5.6 |
| drupal | core | >= 11.0.0 < 11.1.9 | 11.1.9 |
| drupal | core | >= 11.2.0 < 11.2.8 | 11.2.8 |
| drupal | core | >= 7.0 < 7.103 | 7.103 |
| drupal | core | >= 8.0.0 < 10.4.9 | 10.4.9 |
| drupal | drupal | >= 10.5.0 < 10.5.6 | 10.5.6 |
| drupal | drupal | >= 11.0.0 < 11.1.9 | 11.1.9 |
| drupal | drupal | >= 11.2.0 < 11.2.8 | 11.2.8 |
| drupal | drupal | >= 8.0.0 < 10.4.9 | 10.4.9 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 10.5.0 < 10.5.6 | 10.5.6 |
| drupal | drupal_core | >= 11.0.0 < 11.1.9 | 11.1.9 |
| drupal | drupal_core | >= 11.2.0 < 11.2.8 | 11.2.8 |
| drupal | drupal_core | 7.0 – 7.103 | — |
| drupal | drupal_core | >= 8.0.0 < 10.4.9 | 10.4.9 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Drupal
Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008
vendor_drupal·2025-11-12
CVE-2025-13083 [MEDIUM] Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008
Title: Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008
Vulnerability Type: Information disclosure
Description: The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files (schemes) that may also be handled by the system module. In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This can lead to some users getting cached versions of files with information they should not be able to access. For example, files may be cached by Varnish or a CDN. This vulnerability is mitigated by the following: Drupal must be configured to handle non-public files using a custom or contributed module providing an additional file scheme. An attacker must kn
GHSA
Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
ghsa·2025-11-18
CVE-2025-13083 [LOW] CWE-525 Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.
OSV
Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
osv·2025-11-18
CVE-2025-13083 [LOW] Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.
OSV
CVE-2025-13083: The core `system` module handles downloads of private and temporary files
osv·2025-11-12
CVE-2025-13083 CVE-2025-13083: The core `system` module handles downloads of private and temporary files
The core `system` module handles downloads of private and temporary files. Contrib modules can define additional kinds of files (schemes) that may also be handled by the `system` module.
In some cases, files may be served with the HTTP header `Cache-Control: public` when they should be uncacheable. This can lead to some users getting cached versions of files with information they should not be able to access. For example, files may be cached by Varnish or a CDN.
This vulnerability is mitigated by the following:
1. Drupal must be configured to handle non-public files using a custom or contributed module providing an additional file scheme.
2. An attacker must know to request a file that has previously been
requested by a more-privileged user, and that file must still be cached.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-18
Published