DRUPAL-CONTRIB-2025-050

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/klaro/DRUPAL-CONTRIB-2025-050.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-050

Aliases

CVE-2025-47704

Published

2025-05-07T17:06:52Z

Modified

2025-12-10T23:41:31.587261Z

Summary

[none]

Details

Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading.

The module doesn't sufficiently sanitize data attributes allowing persistent Cross Site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

References

https://www.drupal.org/sa-contrib-2025-050

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/klaro

Package

Name: drupal/klaro
Purl: pkg:composer/drupal/klaro

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.0.5

Database specific

{
    "constraint": "<3.0.5"
}

Database specific

affected_versions

"<3.0.5"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/klaro/DRUPAL-CONTRIB-2025-050.json"