Vulnerability-Lookup

Vulnerability from drupal

Published

2025-05-21 17:28

Modified

2025-05-21 17:28

Summary

Details

This module provides a block to easily display a rendered node.

Access to the rendered node isn't validated before rendering the block. Allowing access to node content for users that would normally not be allowed to access the node.

Credits

Mitch Portier (arkener) www.drupal.org/u/arkener

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c2.0.1",
        "patched": true
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/quick_node_block"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c2.0.1"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [
    "CVE-2025-48013"
  ],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/u/arkener"
      ],
      "name": "Mitch Portier (arkener)"
    }
  ],
  "details": "This module provides a block to easily display a rendered node.\n\nAccess to the rendered node isn\u0027t validated before rendering the block. Allowing access to node content for users that would normally not be allowed to access the node.",
  "id": "DRUPAL-CONTRIB-2025-065",
  "modified": "2025-05-21T17:28:31.000Z",
  "published": "2025-05-21T17:28:31.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-065"
    }
  ],
  "schema_version": "1.7.0"
}

CVE-2025-48013 (GCVE-0-2025-48013)

Vulnerability from cvelistv5 – Published: 2025-06-11 14:20 – Updated: 2025-06-11 15:26

Title

Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065

Summary

Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.This issue affects Quick Node Block: from 0.0.0 before 2.0.0.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-862 - Missing Authorization

Assigner

drupal

References

URL

Tags

https://www.drupal.org/sa-contrib-2025-065

Impacted products

	Vendor	Product	Version
	Drupal	Quick Node Block	Affected: 0.0.0 , < 2.0.0 (semver)

Credits

Mitch Portier (arkener) Mitch Portier (arkener) Antonio Sánchez (saesa) Greg Knaddison (greggles) Ivo Van Geertruyen (mr.baileys) Juraj Nemec (poker10)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-48013",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-11T15:25:57.573785Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-11T15:26:57.249Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/quick_node_block",
          "defaultStatus": "unaffected",
          "product": "Quick Node Block",
          "repo": "https://git.drupalcode.org/project/quick_node_block",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "2.0.0",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mitch Portier (arkener)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Mitch Portier (arkener)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Antonio S\u00e1nchez (saesa)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Ivo  Van Geertruyen (mr.baileys)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Juraj Nemec (poker10)"
        }
      ],
      "datePublic": "2025-05-21T17:28:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.\u003cp\u003eThis issue affects Quick Node Block: from 0.0.0 before 2.0.0.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.This issue affects Quick Node Block: from 0.0.0 before 2.0.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-87",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-87 Forceful Browsing"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-11T14:20:06.254Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2025-065"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2025-48013",
    "datePublished": "2025-06-11T14:20:06.254Z",
    "dateReserved": "2025-05-14T17:45:12.225Z",
    "dateUpdated": "2025-06-11T15:26:57.249Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from drupal

CVE-2025-48013 (GCVE-0-2025-48013)

Tags

Sightings

Nomenclature