{
  "canonical_id": "drupal--47ee170dd0",
  "system_id": "drupal",
  "display_name": "Drupal",
  "category": "cms",
  "advisory_mode": "core",
  "title": "Drupal core - Moderately critical - Defacement - SA-CORE-2025-007",
  "summary": "<div class=\"field field-name-field-project field-type-entityreference field-label-inline clearfix\"><div class=\"field-label\">Project:&nbsp;</div><div class=\"field-items\"><div class=\"field-item even\"><a href=\"/project/drupal\">Drupal core</a></div></div></div><div class=\"field field-name-drupalorg-sa-date field-type-text field-label-inline clearfix\"><div class=\"field-label\">Date:&nbsp;</div><div class=\"field-items\"><div class=\"field-item even\">2025-November-12</div></div></div><div class=\"field field-name-field-sa-criticality field-type-text field-label-inline clearfix\"><div class=\"field-label\">Security risk:&nbsp;</div><div class=\"field-items\"><div class=\"field-item even\"><a href=\"/security-team/risk-levels\" class=\"moderately-critical\" title=\"AC - Access complexity: Basic or routine (user must follow specific path)\nA - Authentication: None (all/anonymous users)\nCI - Confidentiality impact: No confidentiality impact\nII - Integrity impact: Data integrity remains intact\nE - Exploit (Zero-day impact): Theoretical or white-hat (no public exploit code or documentation on development exists)\nTD - Target distribution: All module configurations are exploitable\"><strong>Moderately critical</strong> 10\u2009\u2215\u200925 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All</a></div></div></div><div class=\"field field-name-field-sa-type field-type-text field-label-inline clearfix\"><div class=\"field-label\">Vulnerability:&nbsp;</div><div class=\"field-items\"><div class=\"field-item even\">Defacement</div></div></div><div class=\"field field-name-field-affected-versions field-type-text field-label-inline clearfix\"><div class=\"field-label\">Affected versions:&nbsp;</div><div class=\"field-items\"><div class=\"field-item even\">&gt;= 8.0.0 &lt; 10.4.9 || &gt;= 10.5.0 &lt; 10.5.6 || &gt;= 11.0.0 &lt; 11.1.9 || &gt;= 11.2.0 &lt; 11.2.8</div></div></div><div class=\"field field-name-field-sa-cve field-type-text field-label-inline clearfix\"><div class=\"field-label\">CVE IDs:&nbsp;</div><div class=\"field-items\"><div class=\"field-item even\">CVE-2025-13082</div></div></div><div class=\"field field-name-field-sa-description field-type-text-long field-label-above\"><div class=\"field-label\">Description:&nbsp;</div><div class=\"field-items\"><div class=\"field-item even\"><p>By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement.</p>\n<p>The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content (such as branding) is rendered.</p></div></div></div><div class=\"field field-name-field-sa-solution field-type-text-long field-label-above\"><div class=\"field-label\">Solution:&nbsp;</div><div class=\"field-items\"><div class=\"field-item even\"><p>Install the latest version:</p>\n<ul>\n<li>If you are using Drupal 10.4, update to <a href=\"https://www.drupal.org/project/drupal/releases/10.4.9\" rel=\"nofollow\">Drupal 10.4.9</a>.</li>\n<li>If you are using Drupal 10.5, update to <a href=\"https://www.drupal.org/project/drupal/releases/10.5.6\" rel=\"nofollow\">Drupal 10.5.6</a>.</li>\n<li>If you are using Drupal 11.1, update to <a href=\"https://www.drupal.org/project/drupal/releases/11.1.9\" rel=\"nofollow\">Drupal 11.1.9</a>.</li>\n<li>If you are using Drupal 11.2, update to <a href=\"https://www.drupal.org/project/drupal/releases/11.2.8\" rel=\"nofollow\">Drupal 11.2.8</a>.</li>\n</ul>\n<p>Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (<a href=\"https://www.drupal.org/psa-2021-06-29\" rel=\"nofollow\">Drupal 8</a> and <a href=\"https://www.drupal.org/psa-2023-11-01\" rel=\"nofollow\">Drupal 9</a> have both reached end-of-life.)</p></div></div></div><div class=\"field field-name-field-sa-reported-by field-type-text-long field-label-above\"><div class=\"field-label\">Reported By:&nbsp;</div><div class=\"field-items\"><div class=\"field-item even\"><ul>\n<li><a href=\"/u/kevinquillen\" rel=\"nofollow\">Kevin Quillen (kevinquillen)</a>\n</li></ul></div></div></div><div class=\"field field-name-field-sa-fixed-by field-type-text-long field-label-above\"><div class=\"field-label\">Fixed By:&nbsp;</div><div class=\"field-items\"><div class=\"field-item even\"><ul>\n<li><a href=\"/u/benjifisher\" rel=\"nofollow\">Benji Fisher (benjifisher)</a> of the Drupal Security Team\n</li><li><a href=\"/u/drumm\" rel=\"nofollow\">Neil Drumm (drumm)</a> of the Drupal Security Team\n</li><li><a href=\"/u/greggles\" rel=\"nofollow\">Greg Knaddison (greggles)</a> of the Drupal Security Team\n</li><li><a href=\"/u/larowlan\" rel=\"nofollow\">Lee Rowlands (larowlan)</a> of the Drupal Security Team\n</li><li><a href=\"/u/mcdruid\" rel=\"nofollow\">Drew Webber (mcdruid)</a> of the Drupal Security Team\n</li><li><a href=\"/u/mingsong\" rel=\"nofollow\">Mingsong  (mingsong)</a>, provisional member of the Drupal Security Team\n</li><li><a href=\"/u/poker10\" rel=\"nofollow\">Juraj Nemec (poker10)</a> of the Drupal Security Team\n</li><li><a href=\"/u/ram4nd\" rel=\"nofollow\">Ra M\u00e4nd (ram4nd)</a>, provisional member of the Drupal Security Team\n</li><li><a href=\"/u/xjm\" rel=\"nofollow\">Jess  (xjm)</a> of the Drupal Security Team\n</li></ul></div></div></div><div class=\"field field-name-field-sa-coordinated-by field-type-text-long field-label-above\"><div class=\"field-label\">Coordinated By:&nbsp;</div><div class=\"field-items\"><div class=\"field-item even\"><ul>\n<li><a href=\"/u/catch\" rel=\"nofollow\"> catch (catch)</a> of the Drupal Security Team\n</li><li><a href=\"/u/larowlan\" rel=\"nofollow\">Lee Rowlands (larowlan)</a> of the Drupal Security Team\n</li><li><a href=\"/u/longwave\" rel=\"nofollow\">Dave Long (longwave)</a> of the Drupal Security Team\n</li><li><a href=\"/u/poker10\" rel=\"nofollow\">Juraj Nemec (poker10)</a> of the Drupal Security Team\n</li></ul></div></div></div>",
  "published_at": "Wed, 12 Nov 2025 20:16:21 +0000",
  "updated_at": "Wed, 12 Nov 2025 20:16:21 +0000",
  "severity": "unknown",
  "cvss_score": null,
  "exploit_status": "unknown",
  "source_confidence": "official",
  "official_source_url": "https://www.drupal.org/sa-core-2025-007",
  "secondary_source_urls": [],
  "aliases": [],
  "cve_ids": [],
  "ghsa_ids": [],
  "osv_ids": [],
  "affected_versions": [],
  "fixed_versions": [],
  "package_name": null,
  "render_markdown": false,
  "case_path": null,
  "secure_code_topics": [
    "authz-server-side-recheck",
    "xss-output-encoding",
    "file-upload-validation",
    "plugin-extension-trust-policy"
  ],
  "status": "triage",
  "triage_reasons": [
    "missing affected/fixed version details"
  ],
  "entity_refs": [
    {
      "entity_id": "drupal",
      "entity_type": "system",
      "relation": "root-system",
      "root_system_id": "drupal",
      "official": true
    }
  ],
  "affected_components": [
    {
      "name": "Drupal",
      "entity_id": "drupal",
      "scope": "core",
      "package_name": null,
      "official": true
    }
  ],
  "affected_version_ranges": [],
  "fixed_version_ranges": [],
  "introduced_version": null,
  "patched_version": null,
  "version_evidence_sources": [
    "https://www.drupal.org/sa-core-2025-007"
  ],
  "affected_version_refs": [],
  "fixed_version_refs": [],
  "patched_version_refs": [],
  "version_sync_confidence": "low",
  "advisory_scope": "core",
  "version_confidence": "low",
  "version_gap_reason": "official bulletin or aggregated source did not expose explicit affected/fixed versions",
  "version_resolution_needed": true,
  "workflow": {
    "workflow_id": "drupal--47ee170dd0--workflow",
    "vuln_family": "xss",
    "entry_surface": "web-ui-render-path",
    "preconditions": [
      "\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
      "\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: \u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d",
      "\u82e5\u5bf9\u8c61\u5c5e\u4e8e `core`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
    ],
    "required_role": "editor-or-admin",
    "affected_version_assertion": [
      "\u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d"
    ],
    "trigger_vector": "\u5bf9 `xss` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
    "request_or_ui_path": [
      "/admin/editor",
      "/preview",
      "/rendered-content"
    ],
    "input_shape": "\u53d7\u63a7 HTML/Markdown/\u5bcc\u6587\u672c\u8f93\u5165\uff0c\u89c2\u5bdf\u6e32\u67d3\u4e0a\u4e0b\u6587\u662f\u5426\u5931\u53bb\u7f16\u7801\u6216\u51c0\u5316\u3002",
    "expected_unsafe_behavior": "\u8f93\u5165\u5728\u76ee\u6807\u4e0a\u4e0b\u6587\u6267\u884c\u6216\u88ab\u6d4f\u89c8\u5668\u89e3\u91ca\u4e3a\u4e3b\u52a8\u5185\u5bb9\u3002",
    "server_evidence_points": [
      "\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
      "\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
    ],
    "browser_evidence_points": [
      "\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
      "console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
    ],
    "db_or_fs_evidence_points": [
      "\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
      "\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
    ],
    "detection_signals": [
      "WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
      "\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
    ],
    "mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
    "patch_validation_steps": [
      "\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `\u53d7\u5f71\u54cd\u7248\u672c\u533a\u95f4` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `\u4fee\u590d\u7248\u672c`\u3002",
      "\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
      "\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
      "\u8865\u5145 `xss` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
    ],
    "lab_safety_notes": [
      "\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
      "\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
      "\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
    ],
    "review_state": "needs-version-gap-review"
  },
  "verification_status": "triage-manual",
  "verification_mode": "synthetic",
  "last_verified_at": null,
  "last_run_id": null,
  "evidence_bundle": null,
  "historical_status": null,
  "latest_status": null,
  "browser_evidence": {
    "required": false,
    "present": false,
    "refs": []
  },
  "repro_profile_id": "xss-generic",
  "artifact_mode": "official-image",
  "blocked_reason": null,
  "metadata": {
    "source_names": [
      "Drupal Security Advisories RSS"
    ],
    "source_kinds": [
      "rss-feed"
    ],
    "candidate_count": 1,
    "entity_ref_count": 1,
    "advisory_scope": "core",
    "version_confidence": "low",
    "workflow_id": "drupal--47ee170dd0--workflow"
  }
}