By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-31687

Cross-Site Scripting
Affects
SpamSpan
>=7.0.0 <7.2.1
in
Drupal 7
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications.

The Drupal SpamSpan module obfuscates email addresses to help prevent spambots from collecting them. However, an error in the sanitization process used by the module is vulnerable to certain cross-site script exploits when an email link is reconstituted.

A cross-site scripting (XSS) vulnerability is a type of security flaw that allows attackers to inject malicious scripts into webpages. It often occurs when a site fails to properly validate or sanitize user input, enabling the execution of unauthorized code within a victim's browser. It is included in the OWASP Top Ten list of vulnerabilities, specifically in the third category of Injection. A web site compromised in this way may experience:

  • Session hijacking
  • Data theft
  • Malware distribution
  • Defacement or phishing and
  • Privilege escalation.

This issue affects SpamSpan module  versions earlier than 7.2.1.

Details

Module Info

Project Page: https://www.drupal.org/project/spamspan

Affected Versions: >=7.0.0 <7.2.1

Vulnerability Info

This medium-severity vulnerability is found in SpamSpan versions lower than 7.2.1.

Steps To Reproduce

  1. Create a Drupal 7 installation and install a SpamSpan version that is vulnerable to the exploit, such as 7.x-1.2.
  2. Enable the module. 
  3. Configure the Full HTML text form at Configure the Full HTML text format  at /admin/config/content/formats/full_html by:
    1. Disabling all filters except for the SpamSpan filter
    2. Leave filter processing order unchanged.
    3. Leave default options under "Filter Settings." 
  4. Create an article by visiting /node/add/article and setting the text format to Full HTML. Save it.
  5. Craft the exploit, such as:
a@gmail.com"><script>alert("Hacked!")</script>

Credits

Addressing the Issue

Users of the affected component(s) should apply one of the following mitigations:

  • Disable the module.
  • Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.

Additional Resources

Pink arrow
Pink arrow
CVE-2025-31687
CVE-2025-31689
SA-CORE-2025-002
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-31687
PROJECT Affected
SpamSpan
Versions Affected
>=7.0.0 <7.2.1
Published date
May 16, 2025
≈ Fix date
March 3, 2025
Fixed in
Drupal 7 NES
Severity
Medium
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
Drupal 7 NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.