Vulnerability-Lookup

Vulnerability from drupal

Published

2025-04-23 16:58

Modified

2025-04-23 16:58

Summary

Details

This module enables you to put a site wide bootstrap themed alert message on the top of every page.

The module doesn't sufficiently filter text input when leading to a possible XSS attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer bootstrap site alerts".

Credits

Elijah Byrd (elibyrd) www.drupal.org/u/elibyrd

Mitch Portier (arkener) www.drupal.org/u/arkener

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c1.13.0 || \u003e=3.0.0 \u003c3.0.4"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/bootstrap_site_alert"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c1.13.0"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "database_specific": {
            "constraint": "\u003e=3.0.0 \u003c3.0.4"
          },
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [
    "CVE-2025-3901"
  ],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/u/elibyrd"
      ],
      "name": "Elijah Byrd (elibyrd)"
    },
    {
      "contact": [
        "https://www.drupal.org/u/arkener"
      ],
      "name": "Mitch Portier (arkener)"
    }
  ],
  "details": "This module enables you to put a site wide bootstrap themed alert message on the top of every page.\n\nThe module doesn\u0027t sufficiently filter text input when leading to a possible XSS attacks.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission \"administer bootstrap site alerts\".",
  "id": "DRUPAL-CONTRIB-2025-042",
  "modified": "2025-04-23T16:58:51.000Z",
  "published": "2025-04-23T16:58:51.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-042"
    }
  ],
  "schema_version": "1.7.0"
}

CVE-2025-3901 (GCVE-0-2025-3901)

Vulnerability from cvelistv5 – Published: 2025-04-23 17:07 – Updated: 2025-04-23 18:44

Title

Bootstrap Site Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-042

Summary

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Bootstrap Site Alert allows Cross-Site Scripting (XSS).This issue affects Bootstrap Site Alert: from 0.0.0 before 1.13.0, from 3.0.0 before 3.0.4.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

drupal

References

URL

Tags

https://www.drupal.org/sa-contrib-2025-042

Impacted products

	Vendor	Product	Version
	Drupal	Bootstrap Site Alert	Affected: 0.0.0 , < 1.13.0 (semver) Affected: 3.0.0 , < 3.0.4 (semver)

Credits

Mitch Portier (arkener) Elijah Byrd (elibyrd) Mitch Portier (arkener) Joseph Olstad (joseph.olstad) Ivo Van Geertruyen (mr.baileys) Greg Knaddison (greggles) Juraj Nemec (poker10)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-3901",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T18:44:16.543203Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T18:44:37.224Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/bootstrap_site_alert",
          "defaultStatus": "unaffected",
          "product": "Bootstrap Site Alert",
          "repo": "https://git.drupalcode.org/project/bootstrap_site_alert",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "1.13.0",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.4",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Mitch Portier (arkener)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Elijah Byrd (elibyrd)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Mitch Portier (arkener)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Joseph Olstad (joseph.olstad)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ivo  Van Geertruyen (mr.baileys)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Juraj Nemec (poker10)"
        }
      ],
      "datePublic": "2025-04-23T16:58:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Bootstrap Site Alert allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Bootstrap Site Alert: from 0.0.0 before 1.13.0, from 3.0.0 before 3.0.4.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Bootstrap Site Alert allows Cross-Site Scripting (XSS).This issue affects Bootstrap Site Alert: from 0.0.0 before 1.13.0, from 3.0.0 before 3.0.4."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-23T17:07:53.321Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2025-042"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Bootstrap Site Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-042",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2025-3901",
    "datePublished": "2025-04-23T17:07:53.321Z",
    "dateReserved": "2025-04-23T16:27:30.153Z",
    "dateUpdated": "2025-04-23T18:44:37.224Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from drupal

CVE-2025-3901 (GCVE-0-2025-3901)

Tags

Sightings

Nomenclature