CVE-2025-31673

CWE-863Incorrect Authorization6 documents5 sources
Severity
4.6MEDIUM
EPSS
0.2%
top 60.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Drupal Drupal CoreDrupal DrupalDrupal Core
Timeline
PublishedMar 31
Latest updateApr 1

Description

Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.5

Affected Packages3 packages

Packagistdrupal/core8.0.010.3.13+3
CVEListV5drupal/drupal_core8.0.010.3.13+3
NVDdrupal/drupal8.0.010.3.13+3

🔴Vulnerability Details

4
GHSA
Drupal Core Vulnerable to Forceful Browsing2025-04-01
OSV
Drupal Core Vulnerable to Forceful Browsing2025-04-01
CVEList
Drupal core - Moderately critical - Access bypass - SA-CORE-2025-0022025-03-31
OSV
CVE-2025-31673: Bulk operations allow authorized users to modify several nodes at once from the Content page (`/admin/content`)2025-02-19

📋Vendor Advisories

1
Drupal
Drupal core - Moderately critical - Access bypass - SA-CORE-2025-0022025-02-19
CVE-2025-31673 (MEDIUM CVSS 4.6) | Incorrect Authorization vulnerabili | cvebase.io