CVE-2025-6676
BaseFortify
Publication date: 2025-06-26
Last updated on: 2025-07-11
Assigner: Drupal.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gbyte | simple_xml_sitemap | to 4.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6676 is a Cross-site Scripting (XSS) vulnerability in the Drupal Simple XML sitemap module. It occurs because the module does not properly sanitize input during its administration, allowing an attacker with the 'administer sitemap settings' permission to inject malicious scripts. This can lead to unauthorized script execution within the context of the affected site. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrative permissions on the sitemap settings to execute malicious scripts, potentially leading to partial compromise of confidentiality and integrity of the site data. It could be used to steal sensitive information, manipulate site content, or perform actions on behalf of legitimate users. The impact is moderate with some confidentiality and integrity loss but no availability impact. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the version of the Simple XML sitemap module installed in your Drupal system. Versions prior to 4.2.2 are vulnerable. Additionally, review user permissions to identify if any untrusted users have the 'administer sitemap settings' permission, which is required to exploit this vulnerability. There are no specific network detection commands provided. You can check the module version via Drupal's administrative interface or by running a command like 'drush pm-list | grep simple_xml_sitemap' to see the installed version. Also, review user permissions with 'drush user:perm' or through the Drupal admin UI. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Simple XML sitemap module to version 4.2.2 or later, which contains the fix for this vulnerability. Additionally, ensure that only trusted users have the 'administer sitemap settings' permission to prevent potential exploitation. [1]