CVE-2025-13083

CWE-5256 documents5 sources

Severity

3.7LOW

EPSS

0.0%

top 98.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Drupal Core Drupal Drupal Drupal Core

Timeline

PublishedNov 18

Description

Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages3 packages

▶Packagistdrupal/core8.0.0 — 10.4.9+4

▶CVEListV5drupal/drupal_core8.0.0 — 10.4.9+4

▶NVDdrupal/drupal8.0.0 — 10.4.9+3

🔴Vulnerability Details

GHSA

Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels↗2025-11-18

▶

CVEList

Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008↗2025-11-18

▶

OSV

Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels↗2025-11-18

▶

OSV

CVE-2025-13083: The core `system` module handles downloads of private and temporary files↗2025-11-12

▶

📋Vendor Advisories

Drupal

Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008↗2025-11-12

▶