Cross-site Scripting Vulnerability in Drupal Obfuscate Plugin
CVE-2025-3130

5.4MEDIUM

Key Information:

Vendor: Drupal
Status: Obfuscate
Vendor: CVE Published:; 2 April 2025

Summary

The Drupal Obfuscate plugin is susceptible to a Cross-site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This security flaw may allow unauthorized users to inject malicious scripts that could be executed in the browser of users viewing affected content. It is crucial for site administrators using versions prior to 2.0.1 to apply the necessary updates to mitigate this risk.

Affected Version(s)

Obfuscate 0.0.0 < 2.0.1

References

https://www.drupal.org/sa-contrib-2025-029

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 2, 2025
Vulnerability Reserved
Apr 2, 2025

Credit

Pierre Rudloff (prudloff)

Nigel Cunningham (nigelcunningham)

Pierre Rudloff (prudloff)

Greg Knaddison (greggles)

Drew Webber (mcdruid)