Skip to main content

CVE-2025-48916: CWE-862 Missing Authorization in Drupal Bookable Calendar

Medium
VulnerabilityCVE-2025-48916cvecve-2025-48916cwe-862
Published: Fri Jun 13 2025 (06/13/2025, 15:35:36 UTC)
Source: CVE Database V5
Vendor/Project: Drupal
Product: Bookable Calendar

Description

Missing Authorization vulnerability in Drupal Bookable Calendar allows Forceful Browsing.This issue affects Bookable Calendar: from 0.0.0 before 2.2.13.

AI-Powered Analysis

AILast updated: 06/13/2025, 16:05:52 UTC

Technical Analysis

CVE-2025-48916 is a Missing Authorization vulnerability identified in the Drupal Bookable Calendar module, specifically affecting versions prior to 2.2.13. The vulnerability is classified under CWE-862, which pertains to improper authorization checks. This flaw allows an attacker to perform forceful browsing, meaning they can access resources or pages within the Bookable Calendar module without proper permission validation. Essentially, the module fails to verify whether the requesting user has the necessary rights to view or interact with certain calendar entries or booking functionalities. This can lead to unauthorized access to sensitive booking data or administrative functions. The vulnerability exists because the authorization logic is either missing or incorrectly implemented, allowing attackers to bypass intended access controls. Although no known exploits are currently reported in the wild, the nature of the vulnerability suggests that exploitation could be straightforward, as it does not require complex conditions or advanced privileges. The absence of a CVSS score indicates that the vulnerability has not yet been fully assessed for severity, but the technical details confirm that it is a significant authorization bypass issue in a widely used content management system extension.

Potential Impact

For European organizations using Drupal with the Bookable Calendar module, this vulnerability could lead to unauthorized disclosure of sensitive booking information, potentially including customer data, internal scheduling, or resource allocation details. This exposure could compromise confidentiality and possibly integrity if unauthorized users can manipulate bookings or calendar entries. The impact is particularly critical for sectors relying heavily on booking systems, such as healthcare, hospitality, education, and public services. Unauthorized access could lead to privacy violations under GDPR, reputational damage, and operational disruptions if attackers manipulate calendar data. Since Drupal is widely adopted across Europe for governmental, educational, and commercial websites, the risk extends to a broad range of organizations. The lack of authentication or authorization checks could also facilitate lateral movement within compromised environments, increasing the overall risk profile. While availability impact is less direct, unauthorized modifications could disrupt normal operations. The absence of known exploits suggests a window for proactive mitigation before widespread exploitation occurs.

Mitigation Recommendations

Organizations should immediately verify the version of the Bookable Calendar module in use and upgrade to version 2.2.13 or later, where the authorization checks have been corrected. If upgrading is not immediately feasible, implement compensating controls such as restricting access to the calendar module via web application firewalls (WAFs) or network segmentation to limit exposure. Conduct thorough access reviews to ensure that only authorized users have permissions related to calendar booking functionalities. Additionally, implement monitoring and logging of access to calendar-related endpoints to detect unusual or unauthorized browsing attempts. Security teams should perform penetration testing focused on authorization bypass scenarios within Drupal modules. Finally, maintain regular updates of Drupal core and contributed modules to reduce exposure to similar vulnerabilities and subscribe to Drupal security advisories for timely alerts.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
drupal
Date Reserved
2025-05-28T14:59:40.498Z
Cvss Version
null
State
PUBLISHED

Threat ID: 684c4884a8c921274380a656

Added to database: 6/13/2025, 3:49:24 PM

Last enriched: 6/13/2025, 4:05:52 PM

Last updated: 8/13/2025, 7:01:36 PM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats