CVE-2025-13979 – This vulnerability in Drupal Mini site allows a... (How to Fix)

Q: What is the severity of CVE-2025-13979?

CVE-2025-13979 has a CVSS score of 5.4 (MEDIUM). This vulnerability in Drupal Mini site allows attackers with certain privileges to inject malicious scripts that execute when other users view affected pages. It affects all Drupal Mini site installations from initial versions up to 3.0.2. The stored XSS can lead to session hijacking, data theft, or further system compromise.

📋 TL;DR

This vulnerability in Drupal Mini site allows attackers with certain privileges to inject malicious scripts that execute when other users view affected pages. It affects all Drupal Mini site installations from initial versions up to 3.0.2. The stored XSS can lead to session hijacking, data theft, or further system compromise.

💻 Affected Systems

Products:

Drupal Mini site

Versions: 0.0.0 through 3.0.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have permission to create or edit content (typically contributor role or higher).

📦 What is this software?

Mini Site by Salsa.digital

View all CVEs affecting Mini Site →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take over the site, install backdoors, or pivot to attack other systems in the network.

🟠

Likely Case

Attackers with contributor-level access inject malicious scripts that steal user session cookies or redirect users to phishing sites when viewing affected content.

🟢

If Mitigated

With proper input validation and output escaping, the XSS payloads would be neutralized before reaching users.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user with content creation/editing privileges. XSS payloads are well-documented and easy to craft.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.2

Vendor Advisory: https://www.drupal.org/sa-contrib-2025-117

Restart Required: No

Instructions:

1. Backup your Drupal site. 2. Update the Mini site module to version 3.0.2 via Drupal's update manager or composer. 3. Clear Drupal caches. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict content editing permissions

all

Temporarily remove content creation/editing permissions from non-essential users until patching is complete.

Enable Content Security Policy

all

Implement CSP headers to restrict script execution sources and mitigate XSS impact.

🧯 If You Can't Patch

Implement web application firewall rules to block common XSS payload patterns
Enable Drupal's built-in XSS filtering and ensure all user input is properly sanitized

🔍 How to Verify

Check if Vulnerable:

Check the Mini site module version in Drupal's Extend page or via 'drush pm-list | grep mini_site'

Check Version:

drush pm-list --fields=name,version --format=json | grep -A2 -B2 "mini_site"

Verify Fix Applied:

Confirm Mini site module version is 3.0.2 or higher and test content creation with XSS payloads to ensure they're sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual content edits by users, especially with script tags or JavaScript in content
Multiple failed XSS attempts in web server logs

Network Indicators:

Outbound connections to suspicious domains from the Drupal server following content views

SIEM Query:

source="drupal.log" AND ("script" OR "javascript:" OR "onload=" OR "onerror=") AND event_type="content_update"

📊 Metadata

CVE ID: CVE-2025-13979

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-267

EPSS Score: 0.03% exploit probability (7.4th percentile)

Published: January 28, 2026

Last Updated: February 12, 2026

🔗 References

https://www.drupal.org/sa-contrib-2025-117 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13979, you might also want to check these: