By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-3901

Cross-Site Scripting
Affects
Bootstrap Site Alert module
in
Bootstrap
No items found.
Versions
<=7.1.6
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications. The Bootstrap Site Alert contributed module provides a way to present a site-wide alert that is compatible with Bootstrap themes.

The fix provided by HeroDevs adds sanitization to the message used for the alert. It was found first in later versions of Drupal.

A cross-site scripting (XSS) vulnerability allows attackers to inject malicious scripts into webpages. It often occurs when a site fails to properly validate or sanitize user input, enabling the execution of unauthorized code within a victim's browser. It is included in the OWASP Top Ten list of vulnerabilities, specifically in the third category of Injection. A web site compromised in this way may experience:

  • Session hijacking
  • Data theft
  • Malware distribution
  • Defacement or phishing, and
  • Privilege escalation.

This issue affects all versions of Drupal 7 Bootstrap Site Alert at or below 7.1.6 and is patched in Bootstrap Site Alert NES version 7.1.7.

Details

Module Info

Product: Drupal
Affected modules: Bootstrap Site Alert Contributed Module
Affected versions: <= 7.1.6
Project page: https://www.drupal.org/project/bootstrap_site_alert

Vulnerability Info

This medium-severity vulnerability is found in all versions of the Bootstrap Site Alert module of version 7.1.6 or lower.  It is mitigated by the fact that an attacker must have a role with the permission "administer bootstrap site alerts."

The exploit first described in the module compatible with later versions of Drupal (CVE-2025-3901) is a stored cross-site scripting (XSS) vulnerability affecting the Bootstrap Site Alert module. Insufficient sanitization allows a malicious user with edit permission to submit a malicious to be the alert message. 

The fix invokes the check_markup() method from Drupal core, which is a reliable way to sanitize user input.

Addressing the Issue

Users of the affected component(s) should address this exploit in one of the following ways:

  • Ensure that only trusted users have permission to this module.
  • Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.

Credits

Pink arrow
Pink arrow
CVE-2024-6531
CVE-2024-6484
CVE-2024-6485
CVE-2018-14040
CVE-2018-14042
CVE-2016-10735
CVE-2019-8331
CVE-2025-1647
CVE-2025-3901
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-3901
PROJECT Affected
Bootstrap Site Alert module
Versions Affected
<=7.1.6
Published date
November 5, 2025
≈ Fix date
August 25, 2025
Fixed in
NES for Bootstrap
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
NES for Bootstrap
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.