CVE-2025-13081
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-11-24
Assigner: Drupal.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| drupal | drupal | From 8.0.0 (inc) to 10.4.9 (exc) |
| drupal | drupal | From 10.5.0 (inc) to 10.5.6 (exc) |
| drupal | drupal | From 11.0.0 (inc) to 11.1.9 (exc) |
| drupal | drupal | From 11.2.0 (inc) to 11.2.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improperly Controlled Modification of Dynamically-Determined Object Attributes in Drupal core, which allows Object Injection. It affects multiple versions of Drupal core before certain fixed versions. Essentially, it means that an attacker could manipulate object attributes dynamically in a way that was not properly controlled, potentially leading to malicious object injection.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker with high privileges to inject malicious objects, which can lead to unauthorized modification of data or behavior within the Drupal application. According to the CVSS score, it has a high impact on confidentiality and integrity but does not affect availability.