CVE-2025-31675

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.drupal.org/sa-core-2025-004	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::

History

02 Jun 2025, 16:25

Type	Values Removed	Values Added
First Time		Drupal drupal Drupal
CPE		cpe:2.3:a:drupal:drupal::::::::
References	~~() https://www.drupal.org/sa-core-2025-004 -~~	() https://www.drupal.org/sa-core-2025-004 - Vendor Advisory

29 Apr 2025, 16:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
Summary		(es) Vulnerabilidad de neutralización incorrecta de entrada durante la generación de páginas web ('Cross-site Scripting') en Drupal Drupal core permite Cross-Site Scripting (XSS). Este problema afecta al núcleo de Drupal: desde la versión 8.0.0 hasta la 10.3.14, desde la versión 10.4.0 hasta la 10.4.5, desde la versión 11.0.0 hasta la 11.0.13, desde la versión 11.1.0 hasta la 11.1.5.

31 Mar 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-31 22:15

Updated : 2025-06-02 16:25

NVD link : CVE-2025-31675

Mitre link : CVE-2025-31675

CVE.ORG link : CVE-2025-31675

JSON object : View

Products Affected

drupal

drupal

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-31675", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2025-03-31T22:15:20.003", "references": [{"url": "https://www.drupal.org/sa-core-2025-004", "tags": ["Vendor Advisory"], "source": "mlhess@drupal.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "mlhess@drupal.org", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5."}, {"lang": "es", "value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de entrada durante la generaci\u00f3n de p\u00e1ginas web ('Cross-site Scripting') en Drupal Drupal core permite Cross-Site Scripting (XSS). Este problema afecta al n\u00facleo de Drupal: desde la versi\u00f3n 8.0.0 hasta la 10.3.14, desde la versi\u00f3n 10.4.0 hasta la 10.4.5, desde la versi\u00f3n 11.0.0 hasta la 11.0.13, desde la versi\u00f3n 11.1.0 hasta la 11.1.5."}], "lastModified": "2025-06-02T16:25:25.267", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5203ABED-9A31-41A8-9A2E-51114DB3806C", "versionEndExcluding": "10.3.14", "versionStartIncluding": "8.0.0"}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3A7811E7-6793-4CE0-B866-B72B59415A5F", "versionEndExcluding": "10.4.5", "versionStartIncluding": "10.4.0"}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CDD587C1-9A62-4104-92B3-65B6E04BDC95", "versionEndExcluding": "11.0.13", "versionStartIncluding": "11.0.0"}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13E1698C-D69F-4B55-B7B9-1E0F0A7888D6", "versionEndExcluding": "11.1.5", "versionStartIncluding": "11.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "mlhess@drupal.org"}