CVE-2025-31675 - Vulnerability Details - OpenCVE

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Drupal	Drupal

Configuration 1 [-]

OR	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::

No data.

References

Link	Providers
https://www.drupal.org/sa-core-2025-004

History

Mon, 02 Jun 2025 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Drupal Drupal drupal
CPEs		cpe:2.3:a:drupal:drupal::::::::
Vendors & Products		Drupal Drupal drupal

Tue, 29 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 31 Mar 2025 21:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.
Title		Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004
Weaknesses		CWE-79
References		https://www.drupal.org/sa-core-2025-004

MITRE

Status: PUBLISHED

Assigner: drupal

Published: 2025-03-31T21:35:20.059Z

Updated: 2025-04-29T15:45:10.519Z

Reserved: 2025-03-31T21:30:04.614Z

Link: CVE-2025-31675

Vulnrichment

Updated: 2025-04-29T15:45:06.701Z

NVD

Status : Analyzed

Published: 2025-03-31T22:15:20.003

Modified: 2025-06-02T16:25:25.267

Link: CVE-2025-31675

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-31675", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2025-03-31T21:30:04.614Z", "datePublished": "2025-03-31T21:35:20.059Z", "dateUpdated": "2025-04-29T15:45:10.519Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://www.drupal.org/project/drupal", "defaultStatus": "unaffected", "product": "Drupal core", "repo": "https://git.drupalcode.org/project/drupal", "vendor": "Drupal", "versions": [{"lessThan": "10.3.14", "status": "affected", "version": "8.0.0", "versionType": "semver"}, {"lessThan": "10.4.5", "status": "affected", "version": "10.4.0", "versionType": "semver"}, {"lessThan": "11.0.13", "status": "affected", "version": "11.0.0", "versionType": "semver"}, {"lessThan": "11.1.5", "status": "affected", "version": "11.1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Samuel Mortenson (samuel.mortenson)"}, {"lang": "en", "type": "remediation developer", "value": "Benji Fisher (benjifisher)"}, {"lang": "en", "type": "remediation developer", "value": "Bram Driesen (bramdriesen)"}, {"lang": "en", "type": "remediation developer", "value": "Alex Bronstein (effulgentsia)"}, {"lang": "en", "type": "remediation developer", "value": "Jen Lampton (jenlampton)"}, {"lang": "en", "type": "remediation developer", "value": "Lee Rowlands (larowlan)"}, {"lang": "en", "type": "remediation developer", "value": "Dave Long (longwave)"}, {"lang": "en", "type": "remediation developer", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "remediation developer", "value": "Joseph Zhao (pandaski)"}, {"lang": "en", "type": "remediation developer", "value": "Adam G-H (phenaproxima)"}, {"lang": "en", "type": "remediation developer", "value": "Samuel Mortenson (samuel.mortenson)"}, {"lang": "en", "type": "remediation developer", "value": "Jess (xjm)"}], "datePublic": "2025-03-19T18:54:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).<p>This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2025-03-31T21:35:20.059Z"}, "references": [{"url": "https://www.drupal.org/sa-core-2025-004"}], "source": {"discovery": "UNKNOWN"}, "title": "Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-01T18:21:31.894556Z", "id": "CVE-2025-31675", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-29T15:45:10.519Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-31675", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-01T18:21:31.894556Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-29T15:45:06.701Z"}}], "cna": {"title": "Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Samuel Mortenson (samuel.mortenson)"}, {"lang": "en", "type": "remediation developer", "value": "Benji Fisher (benjifisher)"}, {"lang": "en", "type": "remediation developer", "value": "Bram Driesen (bramdriesen)"}, {"lang": "en", "type": "remediation developer", "value": "Alex Bronstein (effulgentsia)"}, {"lang": "en", "type": "remediation developer", "value": "Jen Lampton (jenlampton)"}, {"lang": "en", "type": "remediation developer", "value": "Lee Rowlands (larowlan)"}, {"lang": "en", "type": "remediation developer", "value": "Dave Long (longwave)"}, {"lang": "en", "type": "remediation developer", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "remediation developer", "value": "Joseph Zhao (pandaski)"}, {"lang": "en", "type": "remediation developer", "value": "Adam G-H (phenaproxima)"}, {"lang": "en", "type": "remediation developer", "value": "Samuel Mortenson (samuel.mortenson)"}, {"lang": "en", "type": "remediation developer", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/drupal", "vendor": "Drupal", "product": "Drupal core", "versions": [{"status": "affected", "version": "8.0.0", "lessThan": "10.3.14", "versionType": "semver"}, {"status": "affected", "version": "10.4.0", "lessThan": "10.4.5", "versionType": "semver"}, {"status": "affected", "version": "11.0.0", "lessThan": "11.0.13", "versionType": "semver"}, {"status": "affected", "version": "11.1.0", "lessThan": "11.1.5", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/drupal", "defaultStatus": "unaffected"}], "datePublic": "2025-03-19T18:54:00.000Z", "references": [{"url": "https://www.drupal.org/sa-core-2025-004"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).<p>This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2025-03-31T21:35:20.059Z"}}}, "cveMetadata": {"cveId": "CVE-2025-31675", "state": "PUBLISHED", "dateUpdated": "2025-04-29T15:45:10.519Z", "dateReserved": "2025-03-31T21:30:04.614Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2025-03-31T21:35:20.059Z", "assignerShortName": "drupal"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "5203ABED-9A31-41A8-9A2E-51114DB3806C", "versionEndExcluding": "10.3.14", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A7811E7-6793-4CE0-B866-B72B59415A5F", "versionEndExcluding": "10.4.5", "versionStartIncluding": "10.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "CDD587C1-9A62-4104-92B3-65B6E04BDC95", "versionEndExcluding": "11.0.13", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "13E1698C-D69F-4B55-B7B9-1E0F0A7888D6", "versionEndExcluding": "11.1.5", "versionStartIncluding": "11.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5."}, {"lang": "es", "value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en Drupal Drupal core permite Cross-Site Scripting (XSS). Este problema afecta al n\u00facleo de Drupal: desde la versi\u00f3n 8.0.0 hasta la 10.3.14, desde la versi\u00f3n 10.4.0 hasta la 10.4.5, desde la versi\u00f3n 11.0.0 hasta la 11.0.13, desde la versi\u00f3n 11.1.0 hasta la 11.1.5."}], "id": "CVE-2025-31675", "lastModified": "2025-06-02T16:25:25.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-03-31T22:15:20.003", "references": [{"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-core-2025-004"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Primary"}]}