CVE-2025-48447
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in Drupal's Lightgallery module allows attackers to inject malicious scripts into web pages. When exploited, these scripts execute in victims' browsers, potentially stealing session cookies, redirecting users, or performing actions on their behalf. All Drupal sites using vulnerable versions of the Lightgallery module are affected.
💻 Affected Systems
- Drupal Lightgallery module
📦 What is this software?
Lightgallery by Lightgallery Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative access to the Drupal site, install backdoors, deface the site, or exfiltrate sensitive user data.
Likely Case
Attackers steal user session cookies to hijack accounts, redirect users to phishing sites, or perform actions on behalf of authenticated users.
If Mitigated
With proper input validation and output encoding controls, malicious scripts are neutralized before reaching users' browsers, preventing exploitation.
🎯 Exploit Status
XSS vulnerabilities typically have low exploitation complexity. Attackers need to trick users into visiting a malicious page or submitting crafted input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.0
Vendor Advisory: https://www.drupal.org/sa-contrib-2025-069
Restart Required: No
Instructions:
1. Update the Lightgallery module to version 1.6.0 or later via Drupal's update manager. 2. Clear Drupal caches. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable Lightgallery module
allTemporarily disable the vulnerable module until patching is possible
drush pm-disable lightgallery
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Add 'Content-Security-Policy' header to web server configuration
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads
- Enable Drupal's built-in XSS protection features and ensure input validation is enforced
🔍 How to Verify
Check if Vulnerable:
Check Drupal's module status page or use 'drush pm-list' to see if Lightgallery module is installed and check its versionCheck Version:
drush pm-list --fields=name,version | grep lightgalleryVerify Fix Applied:
Confirm Lightgallery module version is 1.6.0 or higher via Drupal admin interface or 'drush pm-list'📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests containing script tags or JavaScript code to Lightgallery endpoints
- Multiple failed authentication attempts following suspicious page visits
Network Indicators:
- HTTP requests containing <script> tags or JavaScript event handlers in parameters
- Outbound connections to suspicious domains after visiting affected pages
SIEM Query:
source="drupal_access.log" AND ("lightgallery" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload="))