DRUPAL-CORE-2025-002

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2025-002.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CORE-2025-002

Aliases

Published

2025-02-19T16:58:10Z

Modified

2025-12-10T23:41:12.209689Z

Summary

[none]

Details

Bulk operations allow authorized users to modify several nodes at once from the Content page (/admin/content). A site builder can also add bulk operations to other pages using Views.

A bug in the core Actions system allows some users to modify some fields using bulk actions that they do not have permission to modify on individual nodes.

This vulnerability is mitigated by the fact that an attacker must have permission to access /admin/content or other, custom views and to edit nodes.

In particular, the bulk operations

Make content sticky
Make content unsticky
Promote content to front page
Publish content
Remove content from front page
Unpublish content

now require the "Administer content" permission.

References

https://www.drupal.org/sa-core-2025-002

Credits

- jeff cardwell
- - https://www.drupal.org/u/jeff-cardwell

Affected packages

Packagist / drupal/core

Package

Name: drupal/core
Purl: pkg:composer/drupal/core

Affected ranges

Type

ECOSYSTEM

Events

Introduced

8.0.0

Fixed

10.3.13

Database specific

{
    "constraint": ">= 8.0.0 < 10.3.13"
}

Type

ECOSYSTEM

Events

Introduced

10.4.0

Fixed

10.4.3

Database specific

{
    "constraint": ">= 10.4.0 < 10.4.3"
}

Type

ECOSYSTEM

Events

Introduced

11.0.0

Fixed

11.0.12

Database specific

{
    "constraint": ">= 11.0.0 < 11.0.12"
}

Type

ECOSYSTEM

Events

Introduced

11.1.0

Fixed

11.1.3

Database specific

{
    "constraint": ">= 11.1.0 < 11.1.3"
}

Affected versions

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.1.0-beta1

8.1.0-beta2

8.1.0-rc1

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.1.9

8.1.10

8.2.0-beta1

8.2.0-beta2

8.2.0-beta3

8.2.0-rc1

8.2.0-rc2

8.2.0

8.2.1

8.2.2

8.2.3

8.2.4

8.2.5

8.2.6

8.2.7

8.2.8

8.3.0-alpha1

8.3.0-beta1

8.3.0-rc1

8.3.0-rc2

8.3.0

8.3.1

8.3.2

8.3.3

8.3.4

8.3.5

8.3.6

8.3.7

8.3.8

8.3.9

8.4.0-alpha1

8.4.0-beta1

8.4.0-rc1

8.4.0-rc2

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.4.6

8.4.7

8.4.8

8.5.0-alpha1

8.5.0-beta1

8.5.0-rc1

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.7

8.5.8

8.5.9

8.5.10

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

8.6.0-alpha1

8.6.0-beta1

8.6.0-beta2

8.6.0-rc1

8.6.0

8.6.1

8.6.2

8.6.3

8.6.4

8.6.5

8.6.6

8.6.7

8.6.8

8.6.9

8.6.10

8.6.11

8.6.12

8.6.13

8.6.14

8.6.15

8.6.16

8.6.17

8.6.18

8.7.0-alpha1

8.7.0-alpha2

8.7.0-beta1

8.7.0-beta2

8.7.0-rc1

8.7.0

8.7.1

8.7.2

8.7.3

8.7.4

8.7.5

8.7.6

8.7.7

8.7.8

8.7.9

8.7.10

8.7.11

8.7.12

8.7.13

8.7.14

8.8.0-alpha1

8.8.0-beta1

8.8.0-rc1

8.8.0

8.8.1

8.8.2

8.8.3

8.8.4

8.8.5

8.8.6

8.8.7

8.8.8

8.8.9

8.8.10

8.8.11

8.8.12

8.9.0-beta1

8.9.0-beta2

8.9.0-beta3

8.9.0-rc1

8.9.0

8.9.1

8.9.2

8.9.3

8.9.4

8.9.5

8.9.6

8.9.7

8.9.8

8.9.9

8.9.10

8.9.11

8.9.12

8.9.13

8.9.14

8.9.15

8.9.16

8.9.17

8.9.18

8.9.19

8.9.20

9.*

9.0.0-alpha1

9.0.0-alpha2

9.0.0-beta1

9.0.0-beta2

9.0.0-beta3

9.0.0-rc1

9.0.0

9.0.1

9.0.2

9.0.3

9.0.4

9.0.5

9.0.6

9.0.7

9.0.8

9.0.9

9.0.10

9.0.11

9.0.12

9.0.13

9.0.14

9.1.0-alpha1

9.1.0-beta1

9.1.0-rc1

9.1.0-rc2

9.1.0-rc3

9.1.0

9.1.1

9.1.2

9.1.3

9.1.4

9.1.5

9.1.6

9.1.7

9.1.8

9.1.9

9.1.10

9.1.11

9.1.12

9.1.13

9.1.14

9.1.15

9.2.0-alpha1

9.2.0-beta1

9.2.0-beta2

9.2.0-beta3

9.2.0-rc1

9.2.0

9.2.1

9.2.2

9.2.3

9.2.4

9.2.5

9.2.6

9.2.7

9.2.8

9.2.9

9.2.10

9.2.11

9.2.12

9.2.13

9.2.14

9.2.15

9.2.16

9.2.17

9.2.18

9.2.19

9.2.20

9.2.21

9.3.0-alpha1

9.3.0-beta1

9.3.0-beta2

9.3.0-beta3

9.3.0-rc1

9.3.0

9.3.1

9.3.2

9.3.3

9.3.4

9.3.5

9.3.6

9.3.7

9.3.8

9.3.9

9.3.10

9.3.11

9.3.12

9.3.13

9.3.14

9.3.15

9.3.16

9.3.17

9.3.18

9.3.19

9.3.20

9.3.21

9.3.22

9.4.0-alpha1

9.4.0-beta1

9.4.0-rc1

9.4.0-rc2

9.4.0

9.4.1

9.4.2

9.4.3

9.4.4

9.4.5

9.4.6

9.4.7

9.4.8

9.4.9

9.4.10

9.4.11

9.4.12

9.4.13

9.4.14

9.4.15

9.5.0-beta1

9.5.0-beta2

9.5.0-rc1

9.5.0-rc2

9.5.0

9.5.1

9.5.2

9.5.3

9.5.4

9.5.5

9.5.6

9.5.7

9.5.8

9.5.9

9.5.10

9.5.11

10.*

10.0.0-alpha1

10.0.0-alpha2

10.0.0-alpha3

10.0.0-alpha4

10.0.0-alpha5

10.0.0-alpha6

10.0.0-alpha7

10.0.0-beta1

10.0.0-beta2

10.0.0-rc1

10.0.0-rc2

10.0.0-rc3

10.0.0

10.0.1

10.0.2

10.0.3

10.0.4

10.0.5

10.0.6

10.0.7

10.0.8

10.0.9

10.0.10

10.0.11

10.1.0-alpha1

10.1.0-beta1

10.1.0-rc1

10.1.0

10.1.1

10.1.2

10.1.3

10.1.4

10.1.5

10.1.6

10.1.7

10.1.8

10.2.0-alpha1

10.2.0-beta1

10.2.0-rc1

10.2.0

10.2.1

10.2.2

10.2.3

10.2.4

10.2.5

10.2.6

10.2.7

10.2.8

10.2.9

10.2.10

10.2.11

10.2.12

10.3.0-beta1

10.3.0-rc1

10.3.0

10.3.1

10.3.2

10.3.3

10.3.4

10.3.5

10.3.6

10.3.7

10.3.8

10.3.9

10.3.10

10.3.11

10.3.12

10.4.0

10.4.1

10.4.2

11.*

11.0.0

11.0.1

11.0.2

11.0.3

11.0.4

11.0.5

11.0.6

11.0.7

11.0.8

11.0.9

11.0.10

11.0.11

11.1.0

11.1.1

11.1.2

Database specific

affected_versions

">= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3"