Cross-Site Scripting in Drupal Block Class by Drupal
CVE-2025-3902

Currently unrated

Key Information:

Vendor: Drupal
Status: Block Class
Vendor: CVE Published:; 23 April 2025

Summary

An improper neutralization of input during web page generation in the Block Class of Drupal makes it susceptible to cross-site scripting (XSS) attacks. This vulnerability arises when user inputs are not adequately sanitized, allowing attackers to inject malicious scripts into web pages viewed by other users. Such exploits can lead to a variety of security issues, including data theft, session hijacking, and unauthorized actions on behalf of users. The affected version of Block Class ranges from 4.0.0 prior to 4.0.1. It is essential for users of Drupal to update their installations to mitigate this risk.

Affected Version(s)

Block Class 4.0.0 < 4.0.1

References

https://www.drupal.org/sa-contrib-2025-043

Timeline

Vulnerability published
Apr 23, 2025
Vulnerability Reserved
Apr 23, 2025

Credit

Ivo Van Geertruyen (mr.baileys)

renatog

Greg Knaddison (greggles)

Juraj Nemec (poker10)