Moderate severityNVD Advisory· Published Mar 31, 2025· Updated Apr 1, 2025
Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
CVE-2025-3057
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0.0, < 10.3.13 | 10.3.13 |
drupal/corePackagist | >= 10.4.0, < 10.4.3 | 10.4.3 |
drupal/corePackagist | >= 11.0.0, < 11.0.12 | 11.0.12 |
drupal/corePackagist | >= 11.1.0, < 11.1.3 | 11.1.3 |
Affected products
3- osv-coords2 versions
>= 8.0.0, < 10.4.3+ 1 more
- (no CPE)range: >= 8.0.0, < 10.4.3
- (no CPE)range: >= 8.0.0, < 10.3.13
- Range: 8.0.0
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-39g6-x4x8-5jcmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-3057ghsaADVISORY
- www.drupal.org/sa-core-2025-001ghsaWEB
News mentions
1- Drupal core - Critical - Cross site scripting - SA-CORE-2025-001Drupal Security Advisories · Feb 19, 2025