Vulnerability-Lookup

Vulnerability from drupal

Published

2025-02-26 18:35

Modified

2025-03-31 22:06

Summary

Details

The Cache Utility module provides an ability to view status and flush various caches.

The module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when flushing a cache.

Credits

Pierre Rudloff (prudloff) www.drupal.org/u/prudloff

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c1.2.1"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/cache_utility"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c1.2.1"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [
    "CVE-2025-31690"
  ],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/u/prudloff"
      ],
      "name": "Pierre Rudloff (prudloff)"
    }
  ],
  "details": "The Cache Utility module provides an ability to view status and flush various caches.\n\nThe module doesn\u0027t sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when flushing a cache.",
  "id": "DRUPAL-CONTRIB-2025-019",
  "modified": "2025-03-31T22:06:12.000Z",
  "published": "2025-02-26T18:35:11.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-019"
    }
  ],
  "schema_version": "1.7.0"
}

CVE-2025-31690 (GCVE-0-2025-31690)

Vulnerability from cvelistv5 – Published: 2025-03-31 21:49 – Updated: 2025-04-29 15:23

Title

Cache Utility - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-019

Summary

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Cache Utility allows Cross Site Request Forgery.This issue affects Cache Utility: from 0.0.0 before 1.2.1.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

drupal

References

URL

Tags

https://www.drupal.org/sa-contrib-2025-019

Impacted products

	Vendor	Product	Version
	Drupal	Cache Utility	Affected: 0.0.0 , < 1.2.1 (semver)

Credits

Pierre Rudloff (prudloff) cyoun Greg Knaddison (greggles)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-31690",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-01T18:21:57.171501Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-29T15:23:27.313Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/cache_utility",
          "defaultStatus": "unaffected",
          "product": "Cache Utility",
          "repo": "https://git.drupalcode.org/project/cache_utility",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "1.2.1",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Pierre Rudloff (prudloff)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "cyoun"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        }
      ],
      "datePublic": "2025-02-26T18:35:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Cache Utility allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Cache Utility: from 0.0.0 before 1.2.1.\u003c/p\u003e"
            }
          ],
          "value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Cache Utility allows Cross Site Request Forgery.This issue affects Cache Utility: from 0.0.0 before 1.2.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-62",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-62 Cross Site Request Forgery"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-31T21:49:18.300Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2025-019"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Cache Utility - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-019",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2025-31690",
    "datePublished": "2025-03-31T21:49:18.300Z",
    "dateReserved": "2025-03-31T21:30:15.360Z",
    "dateUpdated": "2025-04-29T15:23:27.313Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from drupal

CVE-2025-31690 (GCVE-0-2025-31690)

Tags

Sightings

Nomenclature