By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-3900

Cross-Site Scripting
Affects
Colorbox
in
Drupal 7
NES for Drupal 7
Versions
>=7.0.0 <=7.2.19
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications.

The Colorbox module presents images, iframed or inline content to be displayed in a modal above the current page.

Because the Colorbox module doesn't sufficiently sanitize data attributes before opening modals, it’s possible for a malicious actor to include links that give further access to the website. The vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

A cross-site scripting (XSS) vulnerability allows attackers to inject malicious scripts into webpages. It often occurs when a site fails to properly validate or sanitize user input, enabling the execution of unauthorized code within a victim's browser. It is included in the OWASP Top Ten list of vulnerabilities, specifically in the third category of Injection. A web site compromised in this way may experience:

  • Session hijacking
  • Data theft
  • Malware distribution
  • Defacement or phishing, and
  • Privilege escalation.

This issue affects all versions of Drupal 7 Colorbox equal to or lower than 7.2.19 and is patched in Colorbox NES version 7.2.20.

Details

Module Info

Vulnerability Info

This medium-severity vulnerability is found in all versions of the Colorbox module equal to or lower than 7.2.19.

Without complete sanitization, several variations of XSS exploits are possible:

  • data-cbox-title attribute

<a class="colorbox" data-cbox-title="<img src=x onerror=alert()>" href="https://example.com">test</a>

  • javascript: protocol in data-cbox-href attribute

<a class="colorbox" data-cbox-href="javascript:alert()" href="https://example.com">test</a>

  • non-http/https protocols in href attribute
    <a class="colorbox" href="javascript:alert()">test</a> (or data:, vbscript:, etc.)
  • data-cbox-iframe-attrs attribute
  • other colorbox data attributes such as data-cbox-next, data-cbox-previous, data-cbox-current, data-cbox-close, data-cbox-slideshowstop, data-cbox-slideshowstart, data-cbox-xhr-error, data-cbox-imgerrordata-cbox-html.

Steps To Reproduce

  1. On a vanilla Drupal 7 instance, install and enable a susceptible version of Colorbox (any version under 1.20), which will place the vulnerable Javascript code in sites/all/libraries/colorbox/colorbox/jquery.colorbox.js.
  2. Configure Colorbox:
    • Go to admin/config/media/colorbox
    • Check "Enable Colorbox load" (this enables colorbox-load class).
    • Save configuration.
  3. With the default Article content type, configure the display for the image field:
    • Go to admin/structure/types/manage/article/display.
    • Set the image field format to "Colorbox."
    • Click Save.
  4. The default Text Format Permissions will work for these steps.

Demonstrate One Exploit

  1. Log in as the admin user, which should have all necessary permissions.
  2. Create a new article at node/add/article:
    1. In the body field, confirm the input format is "Full HTML."
    2. Enter this HTML:
<a class="colorbox" data-cbox-title="&lt;img src=x onerror=alert()&gt;" href="/misc/druplicon.png">Click for XSS Test</a>

  1. Add any image to the image field (to ensure Colorbox library loads).
  2. Save the node.
  1. View the node.
  2. Click the "Click for XSS Test" link
  3. Expected result (with vulnerable code): Alert popup appears.
  4. Expected result (with patched module): Alert popup does not appear.

Addressing the Issue

Users of the affected component(s) should address this exploit in one of the following ways:

  • Remove "Full HTML" format access from untrusted users.
  • Disable the module.
  • For defense-in-depth, enable strict Content Security Policy (CSP) Headers.
  • Disable Javascript for Colorbox links (which prevents Colorbox from working at all).
  • However, the above may not deter determined attackers and have trade-offs. Consider signing up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.

Credits

Pink arrow
Pink arrow
CVE-2025-31687
CVE-2025-31689
SA-CORE-2025-002
SA-CONTRIB-2025-072
SA-CONTRIB-2025-028
CVE-2025-3901
CVE-2025-12848
CVE-2025-3900
CVE-2024-13247
CVE-2025-14556
CVE-2025-14557
CVE-2025-47705
CVE-2026-0750
CVE-2025-12848
CVE-2026-0749
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-3900
PROJECT Affected
Colorbox
Versions Affected
>=7.0.0 <=7.2.19
Published date
December 3, 2025
≈ Fix date
April 23, 2026
Fixed in
NES for Drupal 7
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
NES for Drupal 7
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.