CVE-2025-48916 – This CVE describes a Missing Authorization vuln... (How to Fix)

Q: What is the severity of CVE-2025-48916?

CVE-2025-48916 has a CVSS score of 6.5 (MEDIUM). This CVE describes a Missing Authorization vulnerability in Drupal's Bookable Calendar module that allows attackers to access restricted functionality through forceful browsing. Attackers can bypass intended access controls to perform unauthorized actions. All Drupal sites using vulnerable versions of the Bookable Calendar module are affected.

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in Drupal's Bookable Calendar module that allows attackers to access restricted functionality through forceful browsing. Attackers can bypass intended access controls to perform unauthorized actions. All Drupal sites using vulnerable versions of the Bookable Calendar module are affected.

💻 Affected Systems

Products:

Drupal Bookable Calendar module

Versions: 0.0.0 through 2.2.12

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Drupal sites with the Bookable Calendar module installed and enabled.

📦 What is this software?

Bookable Calendar by Joshfabean

View all CVEs affecting Bookable Calendar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate booking data, view sensitive calendar information, modify reservations, or potentially escalate privileges within the booking system.

🟠

Likely Case

Unauthorized users accessing booking management functions, viewing private calendar data, or making unauthorized modifications to existing bookings.

🟢

If Mitigated

Limited impact with proper network segmentation and additional authorization layers, though the core vulnerability remains.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires knowledge of the module's URL structure but no special tools or advanced skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.13

Vendor Advisory: https://www.drupal.org/sa-contrib-2025-070

Restart Required: No

Instructions:

1. Update the Bookable Calendar module to version 2.2.13 or later via Drupal's update manager. 2. Clear Drupal caches. 3. Verify the update was successful.

🔧 Temporary Workarounds

Temporary Access Restriction

all

Implement additional access controls at the web server level to restrict access to Bookable Calendar paths

🧯 If You Can't Patch

Implement strict access controls and authentication checks for all Bookable Calendar endpoints
Disable or remove the Bookable Calendar module if not essential

🔍 How to Verify

Check if Vulnerable:

Check the Bookable Calendar module version in Drupal's Extend page or via drush: drush pm-list | grep bookable_calendar

Check Version:

drush pm-list --fields=name,version | grep bookable_calendar

Verify Fix Applied:

Confirm module version is 2.2.13 or higher and test that unauthorized users cannot access booking management functions

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /bookable-calendar/* paths in web server logs
Failed authorization checks in Drupal logs

Network Indicators:

Unusual patterns of requests to booking endpoints from unauthorized users

SIEM Query:

source="web_server_logs" AND (uri_path="/bookable-calendar/*" OR uri_path="/admin/config/services/bookable-calendar/*") AND response_code=200 AND user_agent NOT IN ("authorized_user_agents")

📊 Metadata

CVE ID: CVE-2025-48916

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-862

EPSS Score: 0.04% exploit probability (10.7th percentile)

Published: June 13, 2025

Last Updated: July 10, 2025

🔗 References

https://www.drupal.org/sa-contrib-2025-070 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48916, you might also want to check these: