DRUPAL-CONTRIB-2025-076

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/cookies/DRUPAL-CONTRIB-2025-076.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-076

Aliases

CVE-2025-48915

Published

2025-05-28T17:46:09Z

Modified

2025-12-10T23:41:32.117850Z

Summary

[none]

Details

The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.

Each sub-module allows to include a specific third party service in the consent management, by controlling the execution of javascript. However, this does not adequately check whether the provided JavaScript code originates from authorized users.

A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).

References

https://www.drupal.org/sa-contrib-2025-076

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/cookies

Package

Name: drupal/cookies
Purl: pkg:composer/drupal/cookies

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.2.15

Database specific

{
    "constraint": "<1.2.15"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/cookies/DRUPAL-CONTRIB-2025-076.json"

affected_versions

"<1.2.15"