CVE-2025-31679
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in Drupal's Ignition Error Pages module allows attackers to inject malicious scripts into web pages viewed by other users. It affects all Drupal sites using Ignition Error Pages module versions before 1.0.4. Successful exploitation could lead to session hijacking, credential theft, or website defacement.
💻 Affected Systems
- Drupal Ignition Error Pages
📦 What is this software?
Ignition Error Pages by Ignition Error Pages Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the Drupal site, install backdoors, and compromise the entire web server infrastructure.
Likely Case
Attackers steal user session cookies, perform actions as authenticated users, redirect users to malicious sites, or deface error pages.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute malicious scripts, limiting impact to failed exploitation attempts.
🎯 Exploit Status
XSS vulnerabilities typically have low exploitation complexity and can be exploited by unauthenticated attackers if the vulnerable page is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.4
Vendor Advisory: https://www.drupal.org/sa-contrib-2025-007
Restart Required: No
Instructions:
1. Log into Drupal admin panel. 2. Navigate to Extend > Update. 3. Check for available updates. 4. Update Ignition Error Pages module to version 1.0.4. 5. Clear Drupal cache.
🔧 Temporary Workarounds
Disable Ignition Error Pages Module
allTemporarily disable the vulnerable module until patching is possible
drush pm-disable ignition_error_pages
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or configure in web server settings
🧯 If You Can't Patch
- Disable the Ignition Error Pages module immediately
- Implement web application firewall rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check Drupal admin reports at /admin/reports/updates or run: drush pm-updatestatus ignition_error_pagesCheck Version:
drush pml --fields=name,version | grep ignition_error_pagesVerify Fix Applied:
Confirm module version is 1.0.4 or higher via Drupal admin or command: drush pml | grep ignition_error_pages📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to error pages with script tags
- Multiple failed requests to error handler endpoints
- Requests containing common XSS payload patterns like <script>, javascript:, or onerror=
Network Indicators:
- HTTP requests with encoded script payloads in query parameters
- Multiple error page requests from single IPs
SIEM Query:
source="web_logs" AND (uri="*error*" OR uri="*ignition*") AND (request="*<script>*" OR request="*javascript:*" OR request="*onerror=*")