EUVD-2025-18126

| CVE-2025-48446 HIGH
2025-06-11 [email protected] GHSA-48wx-8736-jgx2
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 14, 2026 - 21:09 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 21:09 euvd
EUVD-2025-18126
CVE Published
Jun 11, 2025 - 15:15 nvd
HIGH 8.8

Tags

Authentication Bypass Drupal PHP Commerce Alphabank Redirect

Description

Incorrect Authorization vulnerability in Drupal Commerce Alphabank Redirect allows Functionality Misuse.This issue affects Commerce Alphabank Redirect: from 0.0.0 before 1.0.3.

Analysis

CVE-2025-48446 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Commerce Alphabank Redirect module that allows unauthenticated attackers to misuse functionality through a network-based attack requiring user interaction. The vulnerability affects Commerce Alphabank Redirect versions prior to 1.0.3, with a CVSS score of 8.8 indicating high severity across confidentiality, integrity, and availability impacts. No public indicators of active exploitation or proof-of-concept code are currently documented, but the high CVSS score and authorization bypass nature warrant immediate patching.

Technical Context

The Drupal Commerce Alphabank Redirect module is a payment gateway integration component for the Drupal Commerce e-commerce platform, specifically designed to handle payment redirects for Alphabank payment processing. The vulnerability stems from inadequate authorization checks (CWE-863: Incorrect Authorization) in the module's redirect handling logic, allowing attackers to bypass intended access controls. This authorization flaw affects the module's ability to properly validate user permissions before executing sensitive payment-related functionality. The module integrates with Drupal's routing and permissions systems, and the vulnerability suggests either missing permission checks, improper role validation, or insufficient CSRF/session token verification in the redirect workflow. The affected CPE would be: cpe:2.3:a:drupal:commerce_alphabank_redirect:*:*:*:*:*:drupal:*:* with versions 0.0.0 through 1.0.2 in scope.

Affected Products

Drupal Commerce Alphabank Redirect (0.0.0 to 1.0.2 (inclusive))

Remediation

Update Drupal Commerce Alphabank Redirect to version 1.0.3 or later; priority: Immediate; method: Via Drupal module update mechanism or direct download from drupal.org/project/commerce_alphabank_redirect Verification: Verify module version via admin interface (Administration > Reports > Available updates) or drush command: drush pm-info commerce_alphabank_redirect; priority: High Access Control Review: Audit user roles and permissions assigned to payment-related functionality; ensure only trusted users have payment processing access; priority: High Workaround: If immediate patching is not possible, restrict access to the Alphabank redirect endpoint via web server configuration or Drupal's URL access restrictions until patch is deployed; priority: Medium Monitoring: Review access logs for unusual redirect patterns or unauthorized payment gateway interactions; monitor Drupal security advisories for additional guidance; priority: Medium

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Share

EUVD-2025-18126 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy