DRUPAL-CONTRIB-2025-048

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/oembed_providers/DRUPAL-CONTRIB-2025-048.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-048
Aliases
  • CVE-2025-47702
Published
2025-05-07T17:06:26Z
Modified
2025-12-10T23:41:24.038825Z
Summary
[none]
Details

This module extends the core Media module and allows site creators to permit oEmbed providers in addition to YouTube and Vimeo, which are deemed trustworthy by the Drupal Security Team.

The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be granted too broadly and to users without the ability to adequately vet providers. A malicious provider could execute a Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must 1) have a role with the permission "administer oembed providers", 2) have a role with the ability to create or edit Media entities, and 3) have provisioned a publicly-accessible, malicious provider.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/oembed_providers

Package

Name
drupal/oembed_providers
Purl
pkg:composer/drupal/oembed_providers

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.2
Database specific 
{
    "constraint": "<2.2.2"
}

Database specific

source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/oembed_providers/DRUPAL-CONTRIB-2025-048.json"
affected_versions 
"<2.2.2"