EUVD-2025-18290

| CVE-2025-48920 HIGH
2025-06-13 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 21:34 euvd
EUVD-2025-18290
Analysis Generated
Mar 14, 2026 - 21:34 vuln.today
CVE Published
Jun 13, 2025 - 16:15 nvd
HIGH 7.3

Tags

XSS Drupal PHP Etracker

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal etracker allows Cross-Site Scripting (XSS).This issue affects etracker: from 0.0.0 before 3.1.0.

Analysis

Stored/Reflected Cross-Site Scripting (XSS) vulnerability in the Drupal etracker module that allows unauthenticated remote attackers to inject malicious scripts into web pages without requiring user interaction. The vulnerability affects etracker versions prior to 3.1.0, enabling attackers to steal session tokens, perform unauthorized actions, or redirect users to malicious sites. The CVSS 7.3 score and network-accessible attack vector indicate this is a significant vulnerability affecting any Drupal installation with the vulnerable etracker module enabled.

Technical Context

The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-supplied input is not properly sanitized or escaped before being rendered in HTML context. The Drupal etracker module fails to properly neutralize user inputs that may be reflected or stored in web pages, allowing attackers to inject JavaScript payloads. Drupal's security model relies on proper use of sanitization functions (like Xss::filter() or check_plain()) and output escaping through templating engines. The etracker module likely accepts user input (through form submissions, URL parameters, or configuration) without applying adequate input validation or output encoding, violating OWASP Top 10 2021 A03:2021 - Injection principles.

Affected Products

Drupal etracker module versions 0.0.0 through 3.0.x (before 3.1.0). CPE representation: cpe:2.3:a:drupal:etracker:*:*:*:*:*:*:*:* (versions <3.1.0). All installations of Drupal running the etracker module are affected regardless of Drupal core version, though Drupal security best practices and Content Security Policy headers may provide partial mitigation. Drupal.org security advisory for etracker module should be consulted for official patch release details.

Remediation

Immediate actions: (1) Update the etracker module to version 3.1.0 or later immediately—this is the official patched version that neutralizes the XSS input. (2) If immediate patching is not possible, disable the etracker module temporarily via Drupal admin or drush: `drush pm-disable etracker`. (3) Implement Content Security Policy (CSP) headers with script-src restrictions to mitigate XSS impact. (4) Review web server logs and database audit logs for evidence of exploitation (unusual script tags in module-related parameters). (5) Force user session invalidation post-patch to clear any stolen tokens. (6) Apply Drupal security updates for core and all contrib modules. Refer to https://www.drupal.org/project/etracker for official advisory and patch downloads.

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: 0

Share

EUVD-2025-18290 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy