CivicTheme Design System - Moderately critical - Information disclosure - SA-CONTRIB-2025-112

Vulnerability

Overview CVE-2025-12082 is an incorrect authorization vulnerability in the CivicTheme Design System for Drupal, affecting versions before 1.12.0 [2]. The theme does not sufficiently verify access permissions when displaying entities as reference cards within manually curated lists or blocks. This allows forceful browsing of unpublished or archived content, such as CivicTheme Page and Event nodes, through card components that render title, thumbnail, and tags without proper access control [2].

Exploitation

An attacker can exploit this vulnerability by simply viewing a page that includes a manually curated list or block containing a reference card pointing to an unpublished or archived node. No complex interaction or elevated privileges are required; the card is rendered for all users, including anonymous visitors, even though the underlying node itself is access-checked [2]. The vulnerability is triggered by standard reference configurations and view templates, making it easy to encounter in affected sites.

Impact

Successful exploitation results in information disclosure of content that editors intended to keep hidden, such as draft events or archived pages. This bypasses editorial workflows and may expose sensitive or internal-only information unintentionally [2]. The vulnerability does not allow modification or deletion of content, but the confidentiality impact is significant for sites handling non-public data.

Mitigation

The issue is fixed in CivicTheme version 1.12.0. Users running Drupal 10.x or 11.x with CivicTheme should upgrade immediately to the latest version [2]. No workarounds are mentioned in the advisory.