CVE-2025-3901 is a Cross-Site Scripting (XSS) vulnerability identified in the Drupal Bootstrap Site Alert module, specifically affecting versions prior to 1.13.0 for the 0.x branch and prior to 3.0.4 for the 3.x branch. The vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. This flaw allows an attacker to inject malicious scripts into web pages rendered by the vulnerable module. When a user visits a compromised page, the injected script executes in the context of the user's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites. The CVSS v3.1 base score is 6.1 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. The impact on confidentiality and integrity is low (C:L, I:L), with no impact on availability (A:N). No known exploits are currently reported in the wild. The vulnerability is specific to the Bootstrap Site Alert module, a component used in Drupal-based websites to display alert messages, which is widely used in various organizational websites for notifications and announcements. The lack of patches at the time of reporting suggests immediate mitigation steps are necessary to prevent exploitation.

For European organizations using Drupal websites with the Bootstrap Site Alert module, this vulnerability poses a risk of client-side attacks that can compromise user sessions, steal sensitive information, or manipulate website content. While the direct impact on backend systems is limited, the exploitation can damage organizational reputation, lead to data leakage through session hijacking, and facilitate phishing or social engineering attacks targeting users. Public-facing websites, especially those handling user authentication or sensitive transactions, are at higher risk. The medium severity score reflects that while the vulnerability requires user interaction and does not directly affect availability, the potential for data compromise and user trust erosion is significant. Organizations in sectors such as government, finance, healthcare, and e-commerce, which rely heavily on Drupal for their web presence, may face increased risk due to the strategic importance of their web services and the potential regulatory consequences under GDPR if personal data is compromised.

1. Immediate upgrade of the Bootstrap Site Alert module to version 1.13.0 or 3.0.4 (or later) as soon as patches become available. 2. In the interim, implement strict Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the risk of XSS exploitation. 3. Sanitize and validate all user inputs and any dynamic content rendered by the Bootstrap Site Alert module, employing Drupal's built-in filtering and escaping functions. 4. Conduct a thorough audit of all Drupal modules and custom code to identify and remediate similar input validation issues. 5. Educate web administrators and developers on secure coding practices specific to Drupal and XSS prevention. 6. Monitor web server logs and user reports for unusual activity or signs of attempted exploitation. 7. Consider deploying Web Application Firewalls (WAF) with rules tailored to detect and block XSS payloads targeting Drupal sites. 8. For high-risk environments, temporarily disable the Bootstrap Site Alert module if feasible until a secure version is deployed.