Flowdrop
Monthly
Missing Authorization (CWE-862) in the Drupal FlowDrop contributed module allows authenticated low-privilege users to perform Forceful Browsing - directly accessing protected URLs without proper permission checks being enforced. All FlowDrop releases from 0.0.0 up to 1.6.0 are affected; a successful attacker can read or modify content and workflow data beyond their authorized scope. No public exploit has been identified and EPSS sits at 0.18% (8th percentile), indicating negligible observed exploitation probability at time of analysis; the vulnerability is not listed in CISA KEV.
Missing authorization in the FlowDrop Drupal contributed module (versions prior to 1.6.0) enables authenticated low-privilege users to perform forceful browsing, accessing URLs and resources that should be restricted to higher-privilege roles. The vulnerability stems from CWE-862, where authorization checks are absent or bypassed on protected endpoints within the module. No public exploit code or CISA KEV listing exists at time of analysis; the EPSS score of 0.18% (8th percentile) reflects low observed exploitation probability, but the low attack complexity and network accessibility make it a meaningful risk on multi-tenant or public Drupal sites with the module installed.
Missing Authorization (CWE-862) in the Drupal FlowDrop contributed module allows authenticated low-privilege users to perform Forceful Browsing - directly accessing protected URLs without proper permission checks being enforced. All FlowDrop releases from 0.0.0 up to 1.6.0 are affected; a successful attacker can read or modify content and workflow data beyond their authorized scope. No public exploit has been identified and EPSS sits at 0.18% (8th percentile), indicating negligible observed exploitation probability at time of analysis; the vulnerability is not listed in CISA KEV.
Missing authorization in the FlowDrop Drupal contributed module (versions prior to 1.6.0) enables authenticated low-privilege users to perform forceful browsing, accessing URLs and resources that should be restricted to higher-privilege roles. The vulnerability stems from CWE-862, where authorization checks are absent or bypassed on protected endpoints within the module. No public exploit code or CISA KEV listing exists at time of analysis; the EPSS score of 0.18% (8th percentile) reflects low observed exploitation probability, but the low attack complexity and network accessibility make it a meaningful risk on multi-tenant or public Drupal sites with the module installed.