CVE-2025-31679 is a Cross-Site Scripting (XSS) vulnerability classified under CWE-79 that affects the Drupal Ignition Error Pages component, specifically versions prior to 1.0.4 (notably version 0.0.0). This vulnerability arises due to improper neutralization of input during web page generation, allowing malicious actors to inject and execute arbitrary scripts within the context of the affected web pages. The flaw is triggered when user-supplied input is reflected in the error pages generated by the Ignition Error Pages module without adequate sanitization or encoding. Exploiting this vulnerability requires no privileges (PR:N) but does require user interaction (UI:R), such as tricking a user into clicking a crafted link or visiting a malicious page that triggers the vulnerable error page. The attack vector is network-based (AV:N), meaning it can be exploited remotely over the internet. The vulnerability impacts confidentiality and integrity by potentially allowing attackers to steal session cookies, perform actions on behalf of users, or manipulate displayed content. However, it does not affect availability. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the entire Drupal site session context. The CVSS 3.1 base score is 6.1, categorized as medium severity. No known exploits are currently reported in the wild, and no official patches have been linked yet, though the fixed version is 1.0.4 or later. This vulnerability is significant because Drupal is a widely used content management system (CMS) across many organizations, and error pages are often overlooked as attack surfaces. Attackers exploiting this flaw could leverage social engineering to execute malicious scripts, leading to session hijacking, defacement, or redirection to malicious sites.

For European organizations, this vulnerability poses a moderate risk primarily to web applications and services built on Drupal that utilize the Ignition Error Pages module. Successful exploitation could lead to unauthorized disclosure of sensitive information such as session tokens or user credentials, enabling further compromise of user accounts or administrative functions. Integrity of displayed content could be undermined, damaging organizational reputation and trust. Although availability is not directly impacted, the indirect consequences of compromised user sessions or defaced web pages could disrupt business operations and customer interactions. Sectors such as government, finance, healthcare, and e-commerce, which often rely on Drupal for public-facing websites, are particularly at risk. Given the medium severity and the requirement for user interaction, the threat is more pronounced in environments with high user traffic and less stringent input validation or security awareness. The vulnerability could also facilitate phishing campaigns by injecting malicious scripts that mimic legitimate site behavior, increasing the risk of credential theft. The lack of known exploits in the wild suggests that immediate widespread exploitation is unlikely, but the presence of this vulnerability in a critical CMS component necessitates prompt remediation to prevent future attacks.

1. Upgrade the Drupal Ignition Error Pages module to version 1.0.4 or later as soon as the patch becomes available to ensure the vulnerability is addressed at the source. 2. Implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 3. Employ web application firewalls (WAFs) with rules specifically designed to detect and block reflected XSS payloads targeting Drupal error pages. 4. Conduct thorough input validation and output encoding on all user-supplied data, especially in error handling routines, to prevent injection of malicious scripts. 5. Increase user awareness and training to recognize suspicious links or unexpected error pages that could be used as attack vectors. 6. Monitor web server and application logs for unusual requests or error page triggers that may indicate attempted exploitation. 7. For organizations unable to immediately patch, consider temporarily disabling or customizing error pages to avoid reflecting user input directly. 8. Regularly audit Drupal installations and modules for outdated components and known vulnerabilities to maintain a secure environment.