DRUPAL-CONTRIB-2025-051

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/iframeremove/DRUPAL-CONTRIB-2025-051.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-051

Aliases

CVE-2025-47705

Published

2025-05-07T17:07:03Z

Modified

2025-12-10T23:41:30.056724Z

Summary

[none]

Details

This module enables you to add a filter to text formats (Full HTML, Filtered HTML), which will remove every iframe where the "src" is not on the allowlist.

The module doesn't sufficiently filter these iframes in certain situations.

This vulnerability is mitigated by the fact that an attacker must be able to edit content that allows iframes.

References

https://www.drupal.org/sa-contrib-2025-051

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/iframeremove

Package

Name: drupal/iframeremove
Purl: pkg:composer/drupal/iframeremove

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.0.5

Database specific

{
    "constraint": "<2.0.5"
}

Database specific

affected_versions

"<2.0.5"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/iframeremove/DRUPAL-CONTRIB-2025-051.json"