Plattform
drupal
Komponente
drupal
Behoben in
10.4.9
10.5.6
11.1.9
11.2.8
7.103.1
10.4.9
CVE-2025-13083 describes a use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Core. This issue allows for the exploitation of incorrectly configured access control security levels, potentially leading to the exposure of sensitive data. The vulnerability impacts Drupal Core versions 8.0.0 through 9.5.9, as well as 10.5.0, 11.0.0, 11.1.0, and 11.2.0. A fix is available in Drupal 10.4.9.
Exploitation of CVE-2025-13083 could allow an attacker to access sensitive information that is cached in a user's web browser. This information could include user credentials, session tokens, or other confidential data. While the CVSS score is low, the potential impact can be significant if the cached data is highly sensitive. The blast radius is limited to users who have accessed the affected pages, but the consequences of data exposure can be severe. This vulnerability highlights the importance of properly configuring access control security levels and implementing robust caching policies.
CVE-2025-13083 was published on 2025-11-18. Its severity is currently being evaluated. No public proof-of-concept exploits are currently known. The vulnerability is not listed on KEV or EPSS, indicating a low to medium probability of exploitation. Monitor Drupal security advisories and community discussions for any updates on exploitation attempts.
Organizations and individuals using Drupal Core for websites or applications that handle sensitive data, particularly those running versions prior to 10.4.9. Sites with complex access control configurations or those relying heavily on browser caching are at higher risk.
• drupal: Check Drupal core version using drush --version.
• drupal: Review access control configurations for any inconsistencies or overly permissive settings.
• generic web: Monitor web server access logs for unusual requests targeting cached resources.
• generic web: Use browser developer tools to inspect cached resources and verify that sensitive data is not exposed.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2025-13083 is to upgrade Drupal Core to version 10.4.9 or later. Review and strengthen access control security levels to ensure that sensitive data is not exposed to unauthorized users. Implement appropriate caching policies to minimize the amount of sensitive data stored in web browser caches. Consider using HTTP headers to control caching behavior. After upgrading, verify the fix by testing access control mechanisms and confirming that sensitive data is not accessible through cached pages.
Actualice Drupal core a la última versión disponible. Para las versiones 7.x, actualice a la versión 7.103 o superior. Para las versiones 8.x a 10.4.x, actualice a la versión 10.4.9 o superior. Para las versiones 10.5.x, actualice a la versión 10.5.6 o superior. Para las versiones 11.0.x, actualice a la versión 11.1.9 o superior. Para las versiones 11.2.x, actualice a la versión 11.2.8 o superior.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13083 is a vulnerability in Drupal Core that allows exploitation of incorrectly configured access control security levels, potentially exposing sensitive information through browser caching. It affects versions ≤9.5.9.
You are affected if you are using Drupal Core versions 8.0.0 through 9.5.9, or 10.5.0, 11.0.0, 11.1.0, or 11.2.0. Versions 10.4.9 and later are not affected.
Upgrade Drupal Core to version 10.4.9 or later. Back up your site before upgrading and review access control configurations.
There is currently no indication of active exploitation of CVE-2025-13083.
Refer to the official Drupal security advisory on the Drupal.org website for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.