Missing Authorization Flaw in Drupal Config Pages
CVE-2025-8361

7.6HIGH

Key Information:

Vendor

Drupal
Status
Config Pages
Vendor
CVE Published:
15 August 2025

What is CVE-2025-8361?

A missing authorization vulnerability has been identified in Drupal's Config Pages, which allows unauthorized users to perform forceful browsing. This issue affects all versions of Config Pages up to but not including 2.18.0, potentially compromising sensitive configuration settings.

Affected Version(s)

Config Pages 0.0.0 < 2.18.0

References

https://www.drupal.org/sa-contrib-2025-093

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pierre Rudloff (prudloff)
Pierre Rudloff (prudloff)
Alexander Shumenko (shumer)
Greg Knaddison (greggles)
Heine Deelstra (heine)
Jess (xjm)
.