Vulnerability-Lookup

Vulnerability from drupal

Published

2025-12-03 18:49

Modified

2025-12-03 18:49

Summary

Details

This module enables you to deploy content from one Drupal website to another.

The module provides some default configuration without sufficient access control.

This vulnerability is mitigated by the fact that an administrator can add some default access control permission.

Credits

Jürgen Haas (jurgenhaas) www.drupal.org/u/jurgenhaas

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c3.13.0"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/entity_share"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c3.13.0"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [
    "CVE-2025-13985"
  ],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/u/jurgenhaas"
      ],
      "name": "J\u00fcrgen Haas (jurgenhaas)"
    }
  ],
  "details": "This module enables you to deploy content from one Drupal website to another.\n\nThe module provides some default configuration without sufficient access control.\n\nThis vulnerability is mitigated by the fact that an administrator can add some default access control permission.",
  "id": "DRUPAL-CONTRIB-2025-123",
  "modified": "2025-12-03T18:49:40.000Z",
  "published": "2025-12-03T18:49:40.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-123"
    }
  ],
  "schema_version": "1.7.0"
}

CVE-2025-13985 (GCVE-0-2025-13985)

Vulnerability from cvelistv5 – Published: 2026-01-28 20:02 – Updated: 2026-01-29 17:53

Title

Entity Share - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-123

Summary

Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-863 - Incorrect Authorization

Assigner

drupal

References

URL

Tags

https://www.drupal.org/sa-contrib-2025-123

Impacted products

	Vendor	Product	Version
	Drupal	Entity Share	Affected: 0.0.0 , < 3.13.0 (semver)

Credits

JÃ¼rgen Haas (jurgenhaas) Florent Torregrosa (grimreaper) Joachim Noreiko (joachim) Bram Driesen (bramdriesen) cilefen (cilefen) Greg Knaddison (greggles) Drew Webber (mcdruid) Juraj Nemec (poker10) Jess (xjm)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-13985",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-29T17:53:33.475809Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-29T17:53:36.778Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/entity_share",
          "defaultStatus": "unaffected",
          "product": "Entity Share",
          "repo": "https://git.drupalcode.org/project/entity_share",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "3.13.0",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "J\u00c3\u00bcrgen Haas (jurgenhaas)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Florent Torregrosa (grimreaper)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Joachim Noreiko (joachim)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Bram Driesen (bramdriesen)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "cilefen  (cilefen)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Drew Webber (mcdruid)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Juraj Nemec (poker10)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jess  (xjm)"
        }
      ],
      "datePublic": "2025-12-03T18:49:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.\u003cp\u003eThis issue affects Entity Share: from 0.0.0 before 3.13.0.\u003c/p\u003e"
            }
          ],
          "value": "Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-87",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-87 Forceful Browsing"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863 Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T20:02:40.252Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2025-123"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Entity Share - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-123",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2025-13985",
    "datePublished": "2026-01-28T20:02:40.252Z",
    "dateReserved": "2025-12-03T17:04:26.862Z",
    "dateUpdated": "2026-01-29T17:53:36.778Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from drupal

CVE-2025-13985 (GCVE-0-2025-13985)

Tags

Sightings

Nomenclature