<div dir="ltr"><div>View online: <a href="https://www.drupal.org/sa-contrib-2025-042" rel="noreferrer" target="_blank">https://www.drupal.org/sa-contrib-2025-042</a><br>
<br>
Project: Bootstrap Site Alert [1]<br>
Date: 2025-April-23<br>
Security risk: *Moderately critical* 13 ∕ 25<br>
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]<br>
Vulnerability: Cross Site Scripting<br>
<br>
Affected versions: <1.13.0 || >=3.0.0 <3.0.4<br>
CVE IDs: CVE-2025-3901<br>
Description: <br>
This module enables you to put a site wide bootstrap themed alert message on<br>
the top of every page.<br>
<br>
The module doesn't sufficiently filter text input when leading to a possible<br>
XSS attacks.<br>
<br>
This vulnerability is mitigated by the fact that an attacker must have a role<br>
with the permission "administer bootstrap site alerts".<br>
<br>
Solution: <br>
Install the latest version:<br>
<br>
  * If you use the bootstrap_site_alert module 8.x-1.x, upgrade to<br>
    bootstrap_site_alert 8.x-1.23. [3]<br>
  * If you use the bootstrap_site_alerts module 3.0.x, upgrade to<br>
    bootstrap_site_alert 3.0.4. [4]<br>
<br>
Reported By: <br>
  * Mitch Portier (arkener) [5]<br>
  * Elijah Byrd (elibyrd) [6]<br>
<br>
Fixed By: <br>
  * Mitch Portier (arkener) [7]<br>
  * Joseph Olstad (joseph.olstad) [8]<br>
  * Ivo  Van Geertruyen (mr.baileys) [9] of the Drupal Security Team<br>
<br>
Coordinated By: <br>
  * Greg Knaddison (greggles) [10] of the Drupal Security Team<br>
  * Juraj Nemec (poker10) [11] of the Drupal Security Team<br>
<br>
<br>
[1] <a href="https://www.drupal.org/project/bootstrap_site_alert" rel="noreferrer" target="_blank">https://www.drupal.org/project/bootstrap_site_alert</a><br>
[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>
[3] <a href="https://www.drupal.org/project/bootstrap_site_alert/releases/8.x-1.13" rel="noreferrer" target="_blank">https://www.drupal.org/project/bootstrap_site_alert/releases/8.x-1.13</a><br>
[4] <a href="https://www.drupal.org/project/bootstrap_site_alert/releases/3.0.4" rel="noreferrer" target="_blank">https://www.drupal.org/project/bootstrap_site_alert/releases/3.0.4</a><br>
[5] <a href="https://www.drupal.org/u/arkener" rel="noreferrer" target="_blank">https://www.drupal.org/u/arkener</a><br>
[6] <a href="https://www.drupal.org/u/elibyrd" rel="noreferrer" target="_blank">https://www.drupal.org/u/elibyrd</a><br>
[7] <a href="https://www.drupal.org/u/arkener" rel="noreferrer" target="_blank">https://www.drupal.org/u/arkener</a><br>
[8] <a href="https://www.drupal.org/u/josepholstad" rel="noreferrer" target="_blank">https://www.drupal.org/u/josepholstad</a><br>
[9] <a href="https://www.drupal.org/u/mrbaileys" rel="noreferrer" target="_blank">https://www.drupal.org/u/mrbaileys</a><br>
[10] <a href="https://www.drupal.org/u/greggles" rel="noreferrer" target="_blank">https://www.drupal.org/u/greggles</a><br>
[11] <a href="https://www.drupal.org/u/poker10" rel="noreferrer" target="_blank">https://www.drupal.org/u/poker10</a><br>
<br>
_______________________________________________<br>
Security-news mailing list<br>
<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div style="color:rgb(34,34,34)">Computer Security Incident Response Team - CSIRT</div><div style="color:rgb(34,34,34)">Diretoria Executiva de Tecnologia da Informação e Comunicação - DETIC</div><div style="color:rgb(34,34,34)">Universidade Estadual de Campinas - Unicamp</div><div style="color:rgb(34,34,34)">GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" style="color:rgb(17,85,204)" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div style="color:rgb(34,34,34)">Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div></div></div>