Published On: Apr 11, 2025 08:52
Advisory No: TZCERT-SA-25-0080
Source: Drupal
Software Affected: Panels, ECA
Three Drupal versions are vulnerable to critical vulnerabilities. A remote attacker can exploit the vulnerabilities to bypass security controls.
Drupal 8, 10, and 11 running Panels, and ECA modules are affected by critical vulnerabilities tracked as CVE-2025-3474 and CVE-2025-3131. The vulnerabilities results from insufficient protection of sensitive routes. The attacker can exploit these vulnerabilities by sending a specially crafted request to view and modify blocks within variants without requiring appropriate permission and perform CSRF attacks.
Successful exploitation of these vulnerabilities may allow the attacker to gain access to the affected system.
Drupal has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
