[Security-news] Config Pages Viewer - Critical - Access bypass - SA-CONTRIB-2025-086
security-news at drupal.org
security-news at drupal.org
Wed Jul 2 17:37:14 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-086
Project: Config Pages Viewer [1]
Date: 2025-July-02
Security risk: *Critical* 15 ∕ 25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Affected versions: <1.0.4
CVE IDs: CVE-2025-7031
Description:
This module enables you to use config_pages [3] as a content entity.
The module doesn't check permission or entity access before rendering
config_pages content.
Solution:
Install the latest version:
* If you use the Config Pages Viewer module at version 1.0.3 and lesser,
upgrade to Config Pages Viewer 1.0.4 [4].
Reported By:
* Pierre Rudloff (prudloff) [5]
Fixed By:
* drdam [6]
* Pierre Rudloff (prudloff) [7]
Coordinated By:
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
* Jess (xjm) [10] of the Drupal Security Team
[1] https://www.drupal.org/project/config_pages_viewer
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/config_pages
[4] https://www.drupal.org/node/3533571
[5] https://www.drupal.org/u/prudloff
[6] https://www.drupal.org/u/drdam
[7] https://www.drupal.org/u/prudloff
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
[10] https://www.drupal.org/u/xjm
More information about the Security-news
mailing list