CVE-2025-3733 – This CVE describes a Cross-Site Scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2025-3733?

CVE-2025-3733 has a CVSS score of 6.5 (MEDIUM). This CVE describes a Cross-Site Scripting (XSS) vulnerability in the Drupal baguetteBox.Js module. Attackers can inject malicious scripts into web pages, potentially stealing user credentials or session cookies. Drupal sites using vulnerable versions of the baguetteBox.Js module are affected.

📋 TL;DR

This CVE describes a Cross-Site Scripting (XSS) vulnerability in the Drupal baguetteBox.Js module. Attackers can inject malicious scripts into web pages, potentially stealing user credentials or session cookies. Drupal sites using vulnerable versions of the baguetteBox.Js module are affected.

💻 Affected Systems

Products:

Drupal baguetteBox.Js module

Versions: 0.0.0 to 2.0.3, 3.0.0 to 3.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Drupal installations with the baguetteBox.Js module enabled.

📦 What is this software?

Baguettebox.js by Baguettebox.js Project

View all CVEs affecting Baguettebox.js →

Baguettebox.js by Baguettebox.js Project

View all CVEs affecting Baguettebox.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take over administrative accounts, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Attackers steal user session cookies or credentials, potentially leading to account compromise and unauthorized access.

🟢

If Mitigated

With proper input validation and output encoding, the risk is reduced to minimal, though the vulnerability still exists in the code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity and can be exploited without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.4 or 3.0.1

Vendor Advisory: https://www.drupal.org/sa-contrib-2025-034

Restart Required: No

Instructions:

1. Update the baguetteBox.Js module to version 2.0.4 or 3.0.1 via Drupal's update manager or Composer. 2. Clear Drupal caches after update.

🔧 Temporary Workarounds

Disable baguetteBox.Js module

all

Temporarily disable the vulnerable module until patched.

drush pm-disable baguettebox_js

Implement Content Security Policy

all

Add CSP headers to mitigate XSS impact.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads.
Enable Drupal's built-in XSS protection features.

🔍 How to Verify

Check if Vulnerable:

Check Drupal's module status page or use 'drush pm-list' to see installed baguetteBox.Js version.

Check Version:

drush pm-list --fields=name,version | grep baguettebox_js

Verify Fix Applied:

Confirm module version is 2.0.4 or 3.0.1 via Drupal admin or 'drush pm-list'.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript payloads in request logs
Multiple requests with script tags to baguetteBox.Js endpoints

Network Indicators:

HTTP requests containing script tags or JavaScript payloads targeting baguetteBox.Js

SIEM Query:

source="web_logs" AND ("baguettebox" OR "baguetteBox.Js") AND ("<script>" OR "javascript:")

📊 Metadata

CVE ID: CVE-2025-3733

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.23% exploit probability (45.6th percentile)

Published: April 16, 2025

Last Updated: September 2, 2025

🔗 References

https://www.drupal.org/sa-contrib-2025-034 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3733, you might also want to check these: