Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
16 vulnerabilities found for Open Social by Drupal
CVE-2025-48921 (GCVE-0-2025-48921)
Vulnerability from nvd – Published: 2025-06-26 13:32 – Updated: 2025-06-26 17:46
VLAI?
Title
Open Social - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-079
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Open Social allows Cross Site Request Forgery.This issue affects Open Social: from 0.0.0 before 12.3.14, from 12.4.0 before 12.4.13.
Severity ?
8.8 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Open Social |
Affected:
0.0.0 , < 12.3.14
(semver)
Affected: 12.4.0 , < 12.4.13 (semver) |
Date Public ?
2025-06-25 18:41
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-48921",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-26T17:46:07.545071Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T17:46:14.613Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social",
"defaultStatus": "unaffected",
"product": "Open Social",
"repo": "https://git.drupalcode.org/project/social",
"vendor": "Drupal",
"versions": [
{
"lessThan": "12.3.14",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "12.4.13",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ivo Van Geertruyen (mr.baileys)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alexander Varwijk (kingdutch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Robert Ragas (robertragas)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
}
],
"datePublic": "2025-06-25T18:41:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Open Social allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Open Social: from 0.0.0 before 12.3.14, from 12.4.0 before 12.4.13.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Open Social allows Cross Site Request Forgery.This issue affects Open Social: from 0.0.0 before 12.3.14, from 12.4.0 before 12.4.13."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T13:32:44.948Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-079"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Social - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-079",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-48921",
"datePublished": "2025-06-26T13:32:44.948Z",
"dateReserved": "2025-05-28T14:59:40.501Z",
"dateUpdated": "2025-06-26T17:46:14.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31686 (GCVE-0-2025-31686)
Vulnerability from nvd – Published: 2025-03-31 21:44 – Updated: 2025-04-29 15:29
VLAI?
Title
Open Social - Less critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-015
Summary
Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10.
Severity ?
8.1 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Open Social |
Affected:
0.0.0 , < 12.3.11
(semver)
Affected: 12.4.0 , < 12.4.10 (semver) |
Date Public ?
2025-02-12 17:37
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-31686",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T15:28:34.342108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T15:29:04.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social",
"defaultStatus": "unaffected",
"product": "Open Social",
"repo": "https://git.drupalcode.org/project/social",
"vendor": "Drupal",
"versions": [
{
"lessThan": "12.3.11",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "12.4.10",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert Ragas (robertragas)"
},
{
"lang": "en",
"type": "finder",
"value": "zanvidmar"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Denis Kolmerschlag (uber_denis)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "zanvidmar"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
}
],
"datePublic": "2025-02-12T17:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.\u003cp\u003eThis issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T21:44:08.763Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-015"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Social - Less critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-015",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-31686",
"datePublished": "2025-03-31T21:44:08.763Z",
"dateReserved": "2025-03-31T21:30:15.360Z",
"dateUpdated": "2025-04-29T15:29:04.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31685 (GCVE-0-2025-31685)
Vulnerability from nvd – Published: 2025-03-31 21:43 – Updated: 2025-04-29 15:31
VLAI?
Title
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014
Summary
Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10.
Severity ?
9.1 (Critical)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Open Social |
Affected:
0.0.0 , < 12.3.11
(semver)
Affected: 12.4.0 , < 12.4.10 (semver) |
Date Public ?
2025-02-12 17:37
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-31685",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T15:29:45.781392Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T15:31:06.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social",
"defaultStatus": "unaffected",
"product": "Open Social",
"repo": "https://git.drupalcode.org/project/social",
"vendor": "Drupal",
"versions": [
{
"lessThan": "12.3.11",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "12.4.10",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert Ragas (robertragas)"
},
{
"lang": "en",
"type": "finder",
"value": "zanvidmar"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Denis Kolmerschlag (uber_denis)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "zanvidmar"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
}
],
"datePublic": "2025-02-12T17:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.\u003cp\u003eThis issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T21:43:27.662Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-014"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-31685",
"datePublished": "2025-03-31T21:43:27.662Z",
"dateReserved": "2025-03-31T21:30:15.360Z",
"dateUpdated": "2025-04-29T15:31:06.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13312 (GCVE-0-2024-13312)
Vulnerability from nvd – Published: 2025-01-09 20:28 – Updated: 2025-01-31 15:50
VLAI?
Title
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076
Summary
Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 11.8.0 before 12.3.10, from 12.4.0 before 12.4.9.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Open Social |
Affected:
11.8.0 , < 12.3.10
(semver)
Affected: 12.4.0 , < 12.4.9 (semver) |
Date Public ?
2024-12-11 16:53
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-31T15:50:32.397333Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T15:50:36.016Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social",
"defaultStatus": "unaffected",
"product": "Open Social",
"repo": "https://git.drupalcode.org/project/social",
"vendor": "Drupal",
"versions": [
{
"lessThan": "12.3.10",
"status": "affected",
"version": "11.8.0",
"versionType": "semver"
},
{
"lessThan": "12.4.9",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "corn696"
},
{
"lang": "en",
"type": "remediation developer",
"value": "corn696"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Robert Ragas"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
}
],
"datePublic": "2024-12-11T16:53:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.\u003cp\u003eThis issue affects Open Social: from 11.8.0 before 12.3.10, from 12.4.0 before 12.4.9.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 11.8.0 before 12.3.10, from 12.4.0 before 12.4.9."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T20:28:53.431Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-076"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13312",
"datePublished": "2025-01-09T20:28:53.431Z",
"dateReserved": "2025-01-09T20:26:30.623Z",
"dateUpdated": "2025-01-31T15:50:36.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13274 (GCVE-0-2024-13274)
Vulnerability from nvd – Published: 2025-01-09 19:27 – Updated: 2025-01-14 17:08
VLAI?
Title
Open Social - Moderately critical - Denial of Service - SA-CONTRIB-2024-038
Summary
Improper Control of Interaction Frequency vulnerability in Drupal Open Social allows Functionality Misuse.This issue affects Open Social: from 0.0.0 before 12.3.8, from 12.4.0 before 12.4.5.
Severity ?
5.3 (Medium)
CWE
- CWE-799 - Improper Control of Interaction Frequency
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Open Social |
Affected:
0.0.0 , < 12.3.8
(semver)
Affected: 12.4.0 , < 12.4.5 (semver) |
Date Public ?
2024-09-04 16:20
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13274",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T17:08:00.440414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T17:08:25.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social",
"defaultStatus": "unaffected",
"product": "Open Social",
"repo": "https://git.drupalcode.org/project/social",
"vendor": "Drupal",
"versions": [
{
"lessThan": "12.3.8",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "12.4.5",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "vnech"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ronald te Brake"
},
{
"lang": "en",
"type": "remediation developer",
"value": "vnech"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "coordinator",
"value": "Heine Deelstra"
}
],
"datePublic": "2024-09-04T16:20:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Interaction Frequency vulnerability in Drupal Open Social allows Functionality Misuse.\u003cp\u003eThis issue affects Open Social: from 0.0.0 before 12.3.8, from 12.4.0 before 12.4.5.\u003c/p\u003e"
}
],
"value": "Improper Control of Interaction Frequency vulnerability in Drupal Open Social allows Functionality Misuse.This issue affects Open Social: from 0.0.0 before 12.3.8, from 12.4.0 before 12.4.5."
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-799",
"description": "CWE-799 Improper Control of Interaction Frequency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T19:27:04.989Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-038"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Social - Moderately critical - Denial of Service - SA-CONTRIB-2024-038",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13274",
"datePublished": "2025-01-09T19:27:04.989Z",
"dateReserved": "2025-01-09T18:28:09.371Z",
"dateUpdated": "2025-01-14T17:08:25.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13273 (GCVE-0-2024-13273)
Vulnerability from nvd – Published: 2025-01-09 19:26 – Updated: 2025-01-09 21:11
VLAI?
Title
Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Open Social allows Cross-Site Scripting (XSS).This issue affects Open Social: from 0.0.0 before 12.3.8, from 12.4.0 before 12.4.5, from 13.0.0 before 13.0.0-alpha11.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Open Social |
Affected:
0.0.0 , < 12.3.8
(semver)
Affected: 12.4.0 , < 12.4.5 (semver) |
Date Public ?
2024-09-04 16:15
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13273",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T20:53:38.789963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T21:11:27.090Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social",
"defaultStatus": "unaffected",
"product": "Open Social",
"repo": "https://git.drupalcode.org/project/social",
"vendor": "Drupal",
"versions": [
{
"lessThan": "12.3.8",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "12.4.5",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thiago R\u00e9gis"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Thiago R\u00e9gis"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ronald te Brake"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
}
],
"datePublic": "2024-09-04T16:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Open Social allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Open Social: from 0.0.0 before 12.3.8, from 12.4.0 before 12.4.5, from 13.0.0 before 13.0.0-alpha11.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Open Social allows Cross-Site Scripting (XSS).This issue affects Open Social: from 0.0.0 before 12.3.8, from 12.4.0 before 12.4.5, from 13.0.0 before 13.0.0-alpha11."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T19:26:21.730Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-037"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13273",
"datePublished": "2025-01-09T19:26:21.730Z",
"dateReserved": "2025-01-09T18:28:08.407Z",
"dateUpdated": "2025-01-09T21:11:27.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13241 (GCVE-0-2024-13241)
Vulnerability from nvd – Published: 2025-01-09 18:47 – Updated: 2025-01-10 17:14
VLAI?
Title
Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005
Summary
Improper Authorization vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.0.5.
Severity ?
9.1 (Critical)
CWE
- CWE-285 - Improper Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Open Social |
Affected:
0.0.0 , < 12.0.5
(semver)
|
Date Public ?
2024-01-24 15:47
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T17:13:55.574284Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T17:14:22.344Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social",
"defaultStatus": "unaffected",
"product": "Open Social",
"repo": "https://git.drupalcode.org/project/social",
"vendor": "Drupal",
"versions": [
{
"lessThan": "12.0.5",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Taras Kruts"
},
{
"lang": "en",
"type": "finder",
"value": "SV"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Taras Kruts"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ronald te Brake"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
}
],
"datePublic": "2024-01-24T15:47:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authorization vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.\u003cp\u003eThis issue affects Open Social: from 0.0.0 before 12.0.5.\u003c/p\u003e"
}
],
"value": "Improper Authorization vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.0.5."
}
],
"impacts": [
{
"capecId": "CAPEC-150",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-150 Collect Data from Common Resource Locations"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T18:47:46.096Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-005"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13241",
"datePublished": "2025-01-09T18:47:46.096Z",
"dateReserved": "2025-01-09T18:27:02.142Z",
"dateUpdated": "2025-01-10T17:14:22.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13240 (GCVE-0-2024-13240)
Vulnerability from nvd – Published: 2025-01-09 18:46 – Updated: 2025-01-10 17:16
VLAI?
Title
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004
Summary
Improper Access Control vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.05.
Severity ?
7.5 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Open Social |
Affected:
0.0.0 , < 12.05
(semver)
|
Date Public ?
2024-01-24 15:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13240",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T17:14:59.141327Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T17:16:11.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social",
"defaultStatus": "unaffected",
"product": "Open Social",
"repo": "https://git.drupalcode.org/project/social",
"vendor": "Drupal",
"versions": [
{
"lessThan": "12.05",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Corn696"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Corn696"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Tiago Siqueira"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Robert Ragas"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
}
],
"datePublic": "2024-01-24T15:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Access Control vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.\u003cp\u003eThis issue affects Open Social: from 0.0.0 before 12.05.\u003c/p\u003e"
}
],
"value": "Improper Access Control vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.05."
}
],
"impacts": [
{
"capecId": "CAPEC-150",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-150 Collect Data from Common Resource Locations"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T18:46:57.503Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-004"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13240",
"datePublished": "2025-01-09T18:46:57.503Z",
"dateReserved": "2025-01-09T18:27:00.742Z",
"dateUpdated": "2025-01-10T17:16:11.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48921 (GCVE-0-2025-48921)
Vulnerability from cvelistv5 – Published: 2025-06-26 13:32 – Updated: 2025-06-26 17:46
VLAI?
Title
Open Social - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-079
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Open Social allows Cross Site Request Forgery.This issue affects Open Social: from 0.0.0 before 12.3.14, from 12.4.0 before 12.4.13.
Severity ?
8.8 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Open Social |
Affected:
0.0.0 , < 12.3.14
(semver)
Affected: 12.4.0 , < 12.4.13 (semver) |
Date Public ?
2025-06-25 18:41
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-48921",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-26T17:46:07.545071Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T17:46:14.613Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social",
"defaultStatus": "unaffected",
"product": "Open Social",
"repo": "https://git.drupalcode.org/project/social",
"vendor": "Drupal",
"versions": [
{
"lessThan": "12.3.14",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "12.4.13",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ivo Van Geertruyen (mr.baileys)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alexander Varwijk (kingdutch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Robert Ragas (robertragas)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
}
],
"datePublic": "2025-06-25T18:41:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Open Social allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Open Social: from 0.0.0 before 12.3.14, from 12.4.0 before 12.4.13.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Open Social allows Cross Site Request Forgery.This issue affects Open Social: from 0.0.0 before 12.3.14, from 12.4.0 before 12.4.13."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T13:32:44.948Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-079"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Social - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-079",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-48921",
"datePublished": "2025-06-26T13:32:44.948Z",
"dateReserved": "2025-05-28T14:59:40.501Z",
"dateUpdated": "2025-06-26T17:46:14.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31686 (GCVE-0-2025-31686)
Vulnerability from cvelistv5 – Published: 2025-03-31 21:44 – Updated: 2025-04-29 15:29
VLAI?
Title
Open Social - Less critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-015
Summary
Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10.
Severity ?
8.1 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Open Social |
Affected:
0.0.0 , < 12.3.11
(semver)
Affected: 12.4.0 , < 12.4.10 (semver) |
Date Public ?
2025-02-12 17:37
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-31686",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T15:28:34.342108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T15:29:04.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social",
"defaultStatus": "unaffected",
"product": "Open Social",
"repo": "https://git.drupalcode.org/project/social",
"vendor": "Drupal",
"versions": [
{
"lessThan": "12.3.11",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "12.4.10",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert Ragas (robertragas)"
},
{
"lang": "en",
"type": "finder",
"value": "zanvidmar"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Denis Kolmerschlag (uber_denis)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "zanvidmar"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
}
],
"datePublic": "2025-02-12T17:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.\u003cp\u003eThis issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T21:44:08.763Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-015"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Social - Less critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-015",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-31686",
"datePublished": "2025-03-31T21:44:08.763Z",
"dateReserved": "2025-03-31T21:30:15.360Z",
"dateUpdated": "2025-04-29T15:29:04.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31685 (GCVE-0-2025-31685)
Vulnerability from cvelistv5 – Published: 2025-03-31 21:43 – Updated: 2025-04-29 15:31
VLAI?
Title
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014
Summary
Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10.
Severity ?
9.1 (Critical)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Open Social |
Affected:
0.0.0 , < 12.3.11
(semver)
Affected: 12.4.0 , < 12.4.10 (semver) |
Date Public ?
2025-02-12 17:37
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-31685",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T15:29:45.781392Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T15:31:06.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social",
"defaultStatus": "unaffected",
"product": "Open Social",
"repo": "https://git.drupalcode.org/project/social",
"vendor": "Drupal",
"versions": [
{
"lessThan": "12.3.11",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "12.4.10",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert Ragas (robertragas)"
},
{
"lang": "en",
"type": "finder",
"value": "zanvidmar"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Denis Kolmerschlag (uber_denis)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "zanvidmar"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
}
],
"datePublic": "2025-02-12T17:37:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.\u003cp\u003eThis issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T21:43:27.662Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2025-014"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-31685",
"datePublished": "2025-03-31T21:43:27.662Z",
"dateReserved": "2025-03-31T21:30:15.360Z",
"dateUpdated": "2025-04-29T15:31:06.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13312 (GCVE-0-2024-13312)
Vulnerability from cvelistv5 – Published: 2025-01-09 20:28 – Updated: 2025-01-31 15:50
VLAI?
Title
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076
Summary
Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 11.8.0 before 12.3.10, from 12.4.0 before 12.4.9.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Open Social |
Affected:
11.8.0 , < 12.3.10
(semver)
Affected: 12.4.0 , < 12.4.9 (semver) |
Date Public ?
2024-12-11 16:53
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-31T15:50:32.397333Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T15:50:36.016Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social",
"defaultStatus": "unaffected",
"product": "Open Social",
"repo": "https://git.drupalcode.org/project/social",
"vendor": "Drupal",
"versions": [
{
"lessThan": "12.3.10",
"status": "affected",
"version": "11.8.0",
"versionType": "semver"
},
{
"lessThan": "12.4.9",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "corn696"
},
{
"lang": "en",
"type": "remediation developer",
"value": "corn696"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Robert Ragas"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
}
],
"datePublic": "2024-12-11T16:53:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.\u003cp\u003eThis issue affects Open Social: from 11.8.0 before 12.3.10, from 12.4.0 before 12.4.9.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 11.8.0 before 12.3.10, from 12.4.0 before 12.4.9."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T20:28:53.431Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-076"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13312",
"datePublished": "2025-01-09T20:28:53.431Z",
"dateReserved": "2025-01-09T20:26:30.623Z",
"dateUpdated": "2025-01-31T15:50:36.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13274 (GCVE-0-2024-13274)
Vulnerability from cvelistv5 – Published: 2025-01-09 19:27 – Updated: 2025-01-14 17:08
VLAI?
Title
Open Social - Moderately critical - Denial of Service - SA-CONTRIB-2024-038
Summary
Improper Control of Interaction Frequency vulnerability in Drupal Open Social allows Functionality Misuse.This issue affects Open Social: from 0.0.0 before 12.3.8, from 12.4.0 before 12.4.5.
Severity ?
5.3 (Medium)
CWE
- CWE-799 - Improper Control of Interaction Frequency
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Open Social |
Affected:
0.0.0 , < 12.3.8
(semver)
Affected: 12.4.0 , < 12.4.5 (semver) |
Date Public ?
2024-09-04 16:20
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13274",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T17:08:00.440414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T17:08:25.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social",
"defaultStatus": "unaffected",
"product": "Open Social",
"repo": "https://git.drupalcode.org/project/social",
"vendor": "Drupal",
"versions": [
{
"lessThan": "12.3.8",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "12.4.5",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "vnech"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ronald te Brake"
},
{
"lang": "en",
"type": "remediation developer",
"value": "vnech"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "coordinator",
"value": "Heine Deelstra"
}
],
"datePublic": "2024-09-04T16:20:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Interaction Frequency vulnerability in Drupal Open Social allows Functionality Misuse.\u003cp\u003eThis issue affects Open Social: from 0.0.0 before 12.3.8, from 12.4.0 before 12.4.5.\u003c/p\u003e"
}
],
"value": "Improper Control of Interaction Frequency vulnerability in Drupal Open Social allows Functionality Misuse.This issue affects Open Social: from 0.0.0 before 12.3.8, from 12.4.0 before 12.4.5."
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-799",
"description": "CWE-799 Improper Control of Interaction Frequency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T19:27:04.989Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-038"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Social - Moderately critical - Denial of Service - SA-CONTRIB-2024-038",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13274",
"datePublished": "2025-01-09T19:27:04.989Z",
"dateReserved": "2025-01-09T18:28:09.371Z",
"dateUpdated": "2025-01-14T17:08:25.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13273 (GCVE-0-2024-13273)
Vulnerability from cvelistv5 – Published: 2025-01-09 19:26 – Updated: 2025-01-09 21:11
VLAI?
Title
Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Open Social allows Cross-Site Scripting (XSS).This issue affects Open Social: from 0.0.0 before 12.3.8, from 12.4.0 before 12.4.5, from 13.0.0 before 13.0.0-alpha11.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Open Social |
Affected:
0.0.0 , < 12.3.8
(semver)
Affected: 12.4.0 , < 12.4.5 (semver) |
Date Public ?
2024-09-04 16:15
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13273",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T20:53:38.789963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T21:11:27.090Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social",
"defaultStatus": "unaffected",
"product": "Open Social",
"repo": "https://git.drupalcode.org/project/social",
"vendor": "Drupal",
"versions": [
{
"lessThan": "12.3.8",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "12.4.5",
"status": "affected",
"version": "12.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thiago R\u00e9gis"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Thiago R\u00e9gis"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ronald te Brake"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
}
],
"datePublic": "2024-09-04T16:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Open Social allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Open Social: from 0.0.0 before 12.3.8, from 12.4.0 before 12.4.5, from 13.0.0 before 13.0.0-alpha11.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Open Social allows Cross-Site Scripting (XSS).This issue affects Open Social: from 0.0.0 before 12.3.8, from 12.4.0 before 12.4.5, from 13.0.0 before 13.0.0-alpha11."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T19:26:21.730Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-037"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13273",
"datePublished": "2025-01-09T19:26:21.730Z",
"dateReserved": "2025-01-09T18:28:08.407Z",
"dateUpdated": "2025-01-09T21:11:27.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13241 (GCVE-0-2024-13241)
Vulnerability from cvelistv5 – Published: 2025-01-09 18:47 – Updated: 2025-01-10 17:14
VLAI?
Title
Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005
Summary
Improper Authorization vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.0.5.
Severity ?
9.1 (Critical)
CWE
- CWE-285 - Improper Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Open Social |
Affected:
0.0.0 , < 12.0.5
(semver)
|
Date Public ?
2024-01-24 15:47
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T17:13:55.574284Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T17:14:22.344Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social",
"defaultStatus": "unaffected",
"product": "Open Social",
"repo": "https://git.drupalcode.org/project/social",
"vendor": "Drupal",
"versions": [
{
"lessThan": "12.0.5",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Taras Kruts"
},
{
"lang": "en",
"type": "finder",
"value": "SV"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Taras Kruts"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ronald te Brake"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
}
],
"datePublic": "2024-01-24T15:47:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authorization vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.\u003cp\u003eThis issue affects Open Social: from 0.0.0 before 12.0.5.\u003c/p\u003e"
}
],
"value": "Improper Authorization vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.0.5."
}
],
"impacts": [
{
"capecId": "CAPEC-150",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-150 Collect Data from Common Resource Locations"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T18:47:46.096Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-005"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13241",
"datePublished": "2025-01-09T18:47:46.096Z",
"dateReserved": "2025-01-09T18:27:02.142Z",
"dateUpdated": "2025-01-10T17:14:22.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13240 (GCVE-0-2024-13240)
Vulnerability from cvelistv5 – Published: 2025-01-09 18:46 – Updated: 2025-01-10 17:16
VLAI?
Title
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004
Summary
Improper Access Control vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.05.
Severity ?
7.5 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Open Social |
Affected:
0.0.0 , < 12.05
(semver)
|
Date Public ?
2024-01-24 15:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13240",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T17:14:59.141327Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T17:16:11.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/social",
"defaultStatus": "unaffected",
"product": "Open Social",
"repo": "https://git.drupalcode.org/project/social",
"vendor": "Drupal",
"versions": [
{
"lessThan": "12.05",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Corn696"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Corn696"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Tiago Siqueira"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Robert Ragas"
},
{
"lang": "en",
"type": "coordinator",
"value": "Damien McKenna"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
}
],
"datePublic": "2024-01-24T15:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Access Control vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.\u003cp\u003eThis issue affects Open Social: from 0.0.0 before 12.05.\u003c/p\u003e"
}
],
"value": "Improper Access Control vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.05."
}
],
"impacts": [
{
"capecId": "CAPEC-150",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-150 Collect Data from Common Resource Locations"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T18:46:57.503Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2024-004"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-13240",
"datePublished": "2025-01-09T18:46:57.503Z",
"dateReserved": "2025-01-09T18:27:00.742Z",
"dateUpdated": "2025-01-10T17:16:11.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}