By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-31689

Cross-site Request Forgery
Affects
GDPR
>7.0.0 <=7.1.x-alpha12
in
Drupal 7
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications.

The GDPR Tasks sub-module within the GDPR module helps users organize the tasks necessary to secure a site. Some versions of this module permit malicious actors access to creating tasks without sufficient authorization; these tasks can become an avenue into the system.

The exploit was first found in the 3.x branch of the module; the fix was re-implemented to the Drupal 7 compatible version of the module available in the HeroDevs GDPR NES version.

Though no longer a named top-ten exploit in the OWASP top-ten list, cross-site request forgeries are part of Broken Access Control, which is a  top-ten OWASP vulnerability.

Malicious attackers use cross-site request forgery to cause a user to execute unwanted actions in which they have a valid, authenticated session. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.

When a session is taken over, a CSRF attack can lead to:

  • transferring funds
  • modifying personal data, such as emails, telephone numbers and physical addresses
  • additional nefarious activities.

 When the victim has administrator rights, an attack can compromise the entire web application.

Details

Module Info

Project Page: https://drupal.org/project/gdpr

Affected Versions: >=7.0.0 <=7.1.0-alpha12

Vulnerability Info

This medium-severity vulnerability is found in the Drupal GDPR Tasks submodule, which is shipped with the GDPR module. The exploit was first found in the 3.x branch of the module; the fix was re-implemented in the Drupal 7 compatible version of the module available in the HeroDevs GDPR NES version.

Steps To Reproduce

  1. Create a Drupal 7 installation and install a GDPR module version that is vulnerable to the exploit, such as 7.x-1.0-alpha12.
  2. Also install Ctools, Views, Entity, and Checklistapi.
  3. Enable the following modules:
    • Ctools, View, Entity, Checklistapi
    • General Data Protection Regulation (GDPR)
    • General Data Protection Regulation (GDPR) - Fields
    • General Data Protection Regulation (GDPR) - Obfuscated SQL Dump and
    • General Data Protection Regulation (GDPR) - Tasks.
  4. Navigate to Administration > Configuration > GDPR > Checklist (/admin/config/gdpr/checklist). In that form:
    • Add a Multifile field from the drop-down.
    • On the next page, set the allowable uploads and note the allowable file size.
    • Save the field and save the form.
  5. Click the View tab to go to node/1. 
  6. Craft a file with a malicious name, such as:
"><img src=x onerror=alert('XSS')>.txt

  1. Upload the file. When the upload is complete, a dialog will appear (which shouldn’t).

Credits

Addressing the Issue

Users of the affected component(s) should apply one of the following mitigations:

  • Disable the module.
  • Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.

Additional Resources

Pink arrow
Pink arrow
CVE-2025-31687
CVE-2025-31689
SA-CORE-2025-002
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-31689
PROJECT Affected
GDPR
Versions Affected
>7.0.0 <=7.1.x-alpha12
Published date
May 16, 2025
≈ Fix date
March 31, 2025
Fixed in
Drupal 7 NES
Severity
Medium
Category
Cross-site Request Forgery
Sign up for the latest vulnerability alerts fixed in
Drupal 7 NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.