CVE-2025-3901
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in Drupal's Bootstrap Site Alert module allows attackers to inject malicious scripts into web pages. It affects Drupal websites using vulnerable versions of the Bootstrap Site Alert module. When exploited, it can lead to session hijacking, credential theft, or website defacement.
💻 Affected Systems
- Drupal Bootstrap Site Alert module
📦 What is this software?
Bootstrap Site Alert by Bootstrap Site Alert Project
Bootstrap Site Alert by Bootstrap Site Alert Project
Bootstrap Site Alert by Bootstrap Site Alert Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator credentials, take over the Drupal site, install backdoors, and compromise all user data.
Likely Case
Attackers hijack user sessions, steal cookies, redirect users to malicious sites, or deface website content.
If Mitigated
Limited impact with proper input validation and output encoding, potentially only affecting non-sensitive user interactions.
🎯 Exploit Status
XSS vulnerabilities are commonly exploited with readily available tools. The advisory provides enough detail for attackers to craft exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.13.0 or 3.0.4
Vendor Advisory: https://www.drupal.org/sa-contrib-2025-042
Restart Required: No
Instructions:
1. Update the Bootstrap Site Alert module to version 1.13.0 (for 1.x branch) or 3.0.4 (for 3.x branch). 2. Use Drupal's update manager or Composer: 'composer update drupal/bootstrap_site_alert'. 3. Clear Drupal caches after update.
🔧 Temporary Workarounds
Disable Bootstrap Site Alert module
allTemporarily disable the vulnerable module until patching is possible
drush pm:disable bootstrap_site_alert
Or disable via Drupal admin interface at /admin/modules
Implement Content Security Policy
allAdd CSP headers to mitigate XSS impact by restricting script execution
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or configure via Drupal security modules
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads
- Enable Drupal's built-in XSS protection filters and input validation
🔍 How to Verify
Check if Vulnerable:
Check module version at /admin/modules or run: drush pm:list | grep bootstrap_site_alertCheck Version:
drush pm:list --fields=name,version | grep bootstrap_site_alertVerify Fix Applied:
Confirm module version is 1.13.0+ or 3.0.4+ and test alert functionality📡 Detection & Monitoring
Log Indicators:
- Unusual alert creation/modification logs
- Suspicious POST requests to alert endpoints
- JavaScript payloads in request parameters
Network Indicators:
- Multiple requests with script tags or JavaScript in parameters
- Requests to alert-related endpoints from unusual sources
SIEM Query:
web_requests WHERE (uri CONTAINS '/admin/structure/block/manage/' OR uri CONTAINS 'alert') AND (params CONTAINS '<script' OR params CONTAINS 'javascript:')