—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Drupal

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: Medium

 

Software Affected:

·         Drupal core versions from 8.0.0 before 10.4.9

·         Drupal core versions from 10.5.0 before 10.5.6

·         Drupal core versions from 11.0.0 before 11.1.9

·         Drupal core versions from 11.2.0 before 11.2.8

 

Overview:

Multiple vulnerabilities have been reported in Drupal which could allow an attacker to obtain sensitive information, conduct spoofing attacks, object injection attacks, or cause denial of service conditions.

 

Target Audience: Individuals and end-user organizations using Drupal

 

Risk Assessment: High risk of unauthorized access to sensitive data, security bypass, and service unavailability

 

Impact Assessment: Potential for data theft, system crash and system compromise

 

Description:

Drupal is an open-source, content management system (CMS) which allows individuals and organizations to create, manage and maintain websites and web applications

 

These vulnerabilities exist in Drupal Core due to improper file handling, crafted URL, improper modification of dynamically-determined object attributes or a request-overriding weakness. An attacker could exploit these vulnerabilities by manipulating specially crafted URLs.

 

Successful exploitation of these vulnerabilities could allow the attacker to obtain sensitive information, temporarily deface pages of the target website, object injection, or cause denial of service conditions.

 

Please note that Drupal 11.0.x, Drupal 10.3.x, and all prior releases have reached end-of-life and no longer receive security support. Drupal 8 and Drupal 9 have also reached end-of-life.

 

Solution

Upgrade to the latest versions as mentioned in the security advisories:

https://www.drupal.org/sa-core-2025-005

https://www.drupal.org/sa-core-2025-006

https://www.drupal.org/sa-core-2025-007

https://www.drupal.org/sa-core-2025-008

 

Vendor Information

Drupal

https://www.drupal.org/

 

References

https://www.drupal.org/sa-core-2025-005

https://www.drupal.org/sa-core-2025-006

https://www.drupal.org/sa-core-2025-007

https://www.drupal.org/sa-core-2025-008

 

CVE Name

CVE-2025-13080

CVE-2025-13081

CVE-2025-13082

CVE-2025-13083

 

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmkoSjYACgkQ3jCgcSdc

ys+eqA//fo94/SfwiBZ+IuWz1/trrr0TSWr7SvN2ktgON/VMV9D6WVA91h8IpQ+C

ppbk+sQmC3qSUWHUtkzGB3cd6U3M4MBf3WGTt5VnXNdC154x7Z3vW7B8ibs49re4

zIygAAXf1xn8SzjyHPW62cbI6hvVGZnvMEDTguooo5M5UyZUFlSsfbdv1cx0Wolf

kJxfdcxeDlVqRtS+2dD0kIoj/Uhg9RMXEcBWVaauRsDZLY7l+P3TbBU/f0p7eoom

elx7lc++WNWSyjMxXkPrEPunjrPXztUbN9GJ8bLRAc5/NhH8D1fNc/0l/v7WvUyH

4DyH32MGt2DHO5jnqkrp7ukYeFNgdqXKFAv+TIH3Hu4+6L2cVBi6Y4Ph+Hcxncan

yyhG+p4DrBpUVNC14AaTOv/SAUWhqdjTxGbARHx7FETSnzgJgX+f5V9/UYAuWiNH

R4Rf/wFrejO217FnKjepDlDkkSLtwr7DICK6eWTEok9tXbgkkuPlgLqHpTTSsYIn

EhhadZV+iGerXXvh6Jviwt1ApR4m0HEemxpJqZnVpaiTqAIqAqLV5fAek21EF+qB

ByPhwKcvbFxfEhTy7iwWKEPCaCQChLC3FEwUu8lTEv1GSa2eKajhUVQMrp59LdZh

0Cp/EWyVs2YcYrQ1eED07+TO+DjCzjLw+y1zf5wtezlG74lHC+I=

=FfwH

—–END PGP SIGNATURE—–