DRUPAL-CONTRIB-2025-080

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/klaro/DRUPAL-CONTRIB-2025-080.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-080

Aliases

CVE-2025-5682

Published

2025-06-25T18:41:56Z

Modified

2025-12-10T23:41:29.838531Z

Summary

[none]

Details

Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading.

The module doesn't sufficiently sanitize some HTML attributes allowing persistent Cross-site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific attributes.

References

https://www.drupal.org/sa-contrib-2025-080

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/klaro

Package

Name: drupal/klaro
Purl: pkg:composer/drupal/klaro

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.0.7

Database specific

{
    "constraint": "<3.0.7"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/klaro/DRUPAL-CONTRIB-2025-080.json"

affected_versions

"<3.0.7"