Project:
Date:
2025-April-23
Vulnerability:
Cross Site Scripting
Affected versions:
<1.13.0 || >=3.0.0 <3.0.4
CVE IDs:
CVE-2025-3901
Description:
This module enables you to put a site wide bootstrap themed alert message on the top of every page.
The module doesn't sufficiently filter text input when leading to a possible XSS attacks.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer bootstrap site alerts".
Solution:
Install the latest version:
- If you use the bootstrap_site_alert module 8.x-1.x, upgrade to bootstrap_site_alert 8.x-1.23.
- If you use the bootstrap_site_alerts module 3.0.x, upgrade to bootstrap_site_alert 3.0.4.
Reported By:
Fixed By:
- Mitch Portier (arkener)
- Joseph Olstad (joseph.olstad)
- Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
