CVE-2025-31686

High

Published: 31 March 2025

Published

31 March 2025

Modified

25 August 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0044 63.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-31686 is a missing authorization vulnerability (CWE-862) in the Drupal Open Social distribution that allows forceful browsing. The issue affects Open Social versions from 0.0.0 before 12.3.11 and from 12.4.0 before 12.4.10.

Remote unauthenticated attackers with network access can exploit this vulnerability, which requires high attack complexity and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

The Drupal security advisory at https://www.drupal.org/sa-contrib-2025-015 details the vulnerability. Sites should upgrade to Open Social 12.3.11 or 12.4.10, or later versions, to mitigate the issue.

Details

CWE(s): CWE-862

Affected Products

getopensocial

open social

≤ 12.3.11 · 12.4.0 — 12.4.10

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Missing authorization vulnerability in public-facing Drupal Open Social distribution directly enables forceful browsing by remote unauthenticated attackers, mapping to exploitation of public-facing web applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.drupal.org/sa-contrib-2025-015
Vendor Advisory · mlhess@drupal.org