Cross-Site Scripting Vulnerability in Drupal Bootstrap Site Alert Plugin
CVE-2025-3901

Currently unrated

Key Information:

Vendor: Drupal
Status: Bootstrap Site Alert
Vendor: CVE Published:; 23 April 2025

Summary

The Bootstrap Site Alert plugin for Drupal is prone to a Cross-Site Scripting vulnerability that occurs due to improper handling of user input during web page generation. This flaw can allow attackers to inject malicious scripts into web pages viewed by users, potentially compromising user data and session integrity. The vulnerability impacts specific versions of the plugin before 1.13.0 and 3.0.4, necessitating immediate updates for users to secure their applications.

Affected Version(s)

Bootstrap Site Alert 0.0.0 < 1.13.0

Bootstrap Site Alert 3.0.0 < 3.0.4

References

https://www.drupal.org/sa-contrib-2025-042

Timeline

Vulnerability published
Apr 23, 2025
Vulnerability Reserved
Apr 23, 2025

Credit

Mitch Portier (arkener)

Elijah Byrd (elibyrd)

Mitch Portier (arkener)

Joseph Olstad (joseph.olstad)

Ivo Van Geertruyen (mr.baileys)

Greg Knaddison (greggles)

Juraj Nemec (poker10)