Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Ignition Error Pages allows Cross-Site Scripting (XSS).This issue affects Ignition Error Pages: from 0.0.0 before 1.0.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XSS vulnerability in Drupal Ignition Error Pages module allows HTML injection; fixed in version 1.0.4 and intended only for development.
Vulnerability
Description The Drupal Ignition Error Pages module, which renders error pages using the Ignition package, contains a cross-site scripting (XSS) vulnerability due to insufficient input filtering. The module disables certain Drupal core code and fails to properly neutralize input during web page generation, allowing an attacker to inject arbitrary HTML or JavaScript [1][2].
Exploitation
Conditions Exploitation requires the module to be enabled and an attacker to be able to inject crafted input into error pages. The vulnerability is partially mitigated because the module is intended for development use only and not recommended for production environments, limiting the attack surface in typical deployments [2].
Impact
Successful exploitation permits a reflected or stored XSS attack, enabling an attacker to execute arbitrary script in the context of a user's browser. This could lead to session hijacking, defacement, or other actions performed on behalf of the victim [1][2].
Mitigation
The issue affects all versions from 0.0.0 before 1.0.4. The fix is included in Ignition Error Pages version 1.0.4 [2]. Site owners should update to the latest version and avoid using this module on production environments.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/ignitionPackagist | < 1.0.4 | 1.0.4 |
Affected products
2- Range: <1.0.4
- Drupal/Ignition Error Pagesv5Range: 0.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-rhxm-r44m-4325ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-31679ghsaADVISORY
- www.drupal.org/sa-contrib-2025-007ghsaWEB
News mentions
0No linked articles in our index yet.