Primary

Context

Drupal Config Pages Missing Authorization Vulnerability Allowing Forceful Browsing

Vulnerability

A missing authorization vulnerability has been identified in the Drupal Config Pages module, specifically in versions prior to 2.18.0. This vulnerability allows for forceful browsing by bypassing access permissions. The issue arises because the module does not adequately check access rights, particularly in sites where access is restricted through the 'hook_ENTITY_TYPE_access()' function'. To exploit this vulnerability, an attacker must have a role that includes the permission to 'edit ID config page'.

Impact

Exploitation of this vulnerability leads to unauthorized access to edit pages for config pages, allowing users to modify configuration settings they should not have permission to change.

Remediation

Users of the Config Pages module should upgrade to version 8.x-2.18.

Added: Aug 15, 2025, 5:19 PM

Updated: Aug 15, 2025, 6:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Drupal Config Pages Missing Authorization Vulnerability Allowing Forceful Browsing

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating