CVE-2025-31685
Published: 31 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-31685 is a missing authorization vulnerability (CWE-862) in the Drupal Open Social distribution that allows forceful browsing. It affects Open Social versions from 0.0.0 before 12.3.11 in the 12.3.x series and from 12.4.0 before 12.4.10 in the 12.4.x series. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), reflecting its critical severity with no confidentiality impact but high impacts on integrity and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By engaging in forceful browsing, attackers bypass authorization controls, enabling them to achieve high integrity impact through unauthorized modifications and high availability impact, potentially disrupting services.
The Drupal security advisory SA-CONTRIB-2025-014 details the vulnerability and mitigation steps, recommending upgrades to Open Social 12.3.11 or later for the 12.3.x series and 12.4.10 or later for the 12.4.x series.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authorization vulnerability in public-facing Drupal Open Social web application allows remote unauthenticated forceful browsing to bypass controls, directly enabling exploitation of public-facing applications for initial access and unauthorized modifications.