By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-13247

Cross-Site Scripting
Affects
Coffee
in
Drupal 7
No items found.
Versions
>=7.0.0 <=7.1.4
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications. The Coffee contributed module allows users to quickly access any admin page with just a few keystrokes in the manner of macOS Spotlight or Windows PowerToys Run.

The Coffee module in Drupal has a cross-site scripting (XSS) vulnerability stemming from inadequate sanitization of menu names displayed in its search popup. This flaw could potentially allow malicious code injection, though it's tempered by the need for attackers to hold elevated permissions (specifically the "administer menus and menu items" role), which limits its exploitability to privileged users.

A cross-site scripting (XSS) vulnerability allows attackers to inject malicious scripts into webpages. It often occurs when a site fails to properly validate or sanitize user input, enabling the execution of unauthorized code within a victim's browser. It is included in the OWASP Top Ten list of vulnerabilities, specifically in the third category of Injection. A web site compromised in this way may experience:

  • Session hijacking
  • Data theft
  • Malware distribution
  • Defacement or phishing and
  • Privilege escalation.

This issue affects all versions of the Drupal 7 version of the Coffee module including and below 7.1.4; it is patched  in Coffee NES version 7.2.5 and is a backport of the Drupal 8+ version.

Details

Module Info

Vulnerability Info

This low-severity vulnerability is found in all versions of the Coffee module equal to or lower than 7.1.4

This is a port of a patched vulnerability described in Coffee - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-011.

Addressing the Issue

Users of the affected component(s) can address this exploit in one of the following ways:

  • Disable the module.
  • Ensure that only trusted users have permission to add menu items.
  • The only true mitigations are to disable the module and to patch it. Consider signing up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.

Credits

Patrick Fey (feyp)

Pink arrow
Pink arrow
CVE-2025-31687
CVE-2025-31689
SA-CORE-2025-002
SA-CONTRIB-2025-072
SA-CONTRIB-2025-028
CVE-2025-3901
CVE-2025-12848
CVE-2025-3900
CVE-2024-13247
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-13247
PROJECT Affected
Coffee
Versions Affected
>=7.0.0 <=7.1.4
Published date
December 11, 2025
≈ Fix date
February 3, 2025
Fixed in
NES for Drupal 7
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
NES for Drupal 7
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.