EUVD-2025-18125

| CVE-2025-48445 HIGH
2025-06-11 [email protected] GHSA-q9h3-r6wr-p3j3
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 14, 2026 - 21:09 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 21:09 euvd
EUVD-2025-18125
CVE Published
Jun 11, 2025 - 15:15 nvd
HIGH 8.8

Tags

Authentication Bypass Drupal PHP

Description

Incorrect Authorization vulnerability in Drupal Commerce Eurobank (Redirect) allows Functionality Misuse.This issue affects Commerce Eurobank (Redirect): from 0.0.0 before 2.1.1.

Analysis

CVE-2025-48445 is an Incorrect Authorization vulnerability (CWE-863) in Drupal Commerce Eurobank (Redirect) payment module versions before 2.1.1 that allows unauthenticated attackers to misuse functionality through a network-based attack requiring user interaction. With a CVSS score of 8.8 and high impact across confidentiality, integrity, and availability, this vulnerability affects payment processing workflows in Drupal e-commerce installations. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), making it exploitable by attackers who can socially engineer victims or intercept redirect flows in payment processing.

Technical Context

The vulnerability exists in the Drupal Commerce Eurobank (Redirect) payment gateway module, which integrates Eurobank's redirect-based payment processing into Drupal Commerce platforms. The root cause is classified as CWE-863 (Incorrect Authorization), indicating that the module fails to properly verify user permissions or session authenticity before executing sensitive payment-related functions. The 'Redirect' variant of Eurobank payment processing typically involves off-site redirects to the bank's payment page and subsequent callback/redirect handling, which are common attack vectors for authorization bypass. The authorization check likely fails in the redirect callback mechanism, potentially allowing attackers to manipulate payment transactions, access transaction details, or modify payment parameters without proper authorization validation.

Affected Products

Drupal Commerce Eurobank (Redirect) (0.0.0 through 2.1.0)

Remediation

- action: Immediate Patch; details: Upgrade Drupal Commerce Eurobank (Redirect) module to version 2.1.1 or later. This is the definitive fix for CVE-2025-48445. - action: Update Process; details: Via Drupal admin interface: Navigate to Extend > Manage > Update, or use Drush: drush pm:update drupal:commerce_eurobank_redirect - action: Verification; details: After patching, verify installed version is 2.1.1+. Check active payment transactions for anomalies or unauthorized modifications during the vulnerability window. - action: Interim Mitigation (if patching delayed); details: Restrict payment processing to authenticated users only; disable Eurobank redirect payment method temporarily if alternative gateways are available; implement WAF rules to block suspicious redirect patterns; monitor payment logs for authorization bypass attempts. - action: Vendor Advisory; details: Consult official Drupal Security Advisories (drupal.org/security) for official patch release notes and additional context specific to your installation.

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Share

EUVD-2025-18125 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy