Cross-Site Scripting Vulnerability in Drupal Colorbox by Drupal
CVE-2025-3900

6.1MEDIUM

Key Information:

Vendor: Drupal
Status: Colorbox
Vendor: CVE Published:; 23 April 2025

Summary

An input validation flaw in Drupal's Colorbox module permits attackers to inject malicious scripts into web pages viewed by users. This vulnerability allows for the execution of arbitrary scripts within the context of the user's browser, potentially leading to data theft or account compromise. Users of Colorbox versions prior to 2.1.3 are recommended to update their installations to secure their applications from such exploits.

Affected Version(s)

Colorbox 0.0.0 < 2.1.3

References

https://www.drupal.org/sa-contrib-2025-041

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 23, 2025
Vulnerability Reserved
Apr 23, 2025

Credit

Pierre Rudloff (prudloff)

Jen Lampton (jenlampton)

Paul McKibben (paulmckibben)

Greg Knaddison (greggles)

Juraj Nemec (poker10)