GHSA-4f8q-mwgc-3mwc

Source

https://github.com/advisories/GHSA-4f8q-mwgc-3mwc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-4f8q-mwgc-3mwc/GHSA-4f8q-mwgc-3mwc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4f8q-mwgc-3mwc

Aliases

CVE-2025-31691

Published

2025-04-01T00:30:35Z

Modified

2025-04-02T18:12:09.915242Z

Severity

2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Drupal OAuth2 Server Missing Authorization vulnerability

Details

Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing. This issue affects OAuth2 Server: from 0.0.0 before 2.1.0.

Database specific

{
    "nvd_published_at": "2025-03-31T22:15:21Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-02T17:13:34Z"
}

References

Affected packages

Packagist / drupal/oauth2_server

Package

Name: drupal/oauth2_server
Purl: pkg:composer/drupal/oauth2_server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.0