CVE-2022-25276

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-25276

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25276.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-25276

Aliases

Downstream

UBUNTU-CVE-2022-25276

Published

2023-04-26T15:15:08.663Z

Modified

2026-02-05T07:22:50.150432Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

References

https://www.drupal.org/sa-core-2022-015

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type: GIT
Repo: https://github.com/drupal/drupal
Events: Introduced

698ee686c23de8c97d7e0601cf745b220d54f4e1

Fixed

32680a4aef16035fd6c90014761dcad8de628120

Introduced

970c1b5cfa946f683de326a3f252b5371a42186a

Fixed

bf401c8d5c5a88d442ac7e95a9eb059d123a771c

Affected versions

9.*

9.3.0

9.3.10

9.3.11

9.3.12

9.3.13

9.3.14

9.3.15

9.3.16

9.3.17

9.3.18

9.3.2

9.3.3

9.3.4

9.3.5

9.3.6

9.3.7

9.3.8

9.3.9

9.4.0

9.4.1

9.4.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25276.json"