DRUPAL-CONTRIB-2025-092

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/cookies/DRUPAL-CONTRIB-2025-092.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-092

Aliases

CVE-2025-8092

Published

2025-07-23T17:10:19Z

Modified

2025-12-10T23:41:26.267934Z

Summary

[none]

Details

This module allows you to manage video media items using the COOKiES module (disabling external video elements). These elements will be enabled again, once the COOKiES banner is accepted.

The module doesn't sufficiently check whether to convert "data-src" attributes to "src" when their value might contain malicious content under the scenario, that module specific classes are set on the HTML element.

This vulnerability is mitigated by the fact that an attacker must have the correct permissions to have a specific HTML element display for all users, and this HTML element needs to have a specific class set.

References

https://www.drupal.org/sa-contrib-2025-092

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/cookies

Package

Name: drupal/cookies
Purl: pkg:composer/drupal/cookies

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.2.16

Database specific

{
    "constraint": "<1.2.16"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/cookies/DRUPAL-CONTRIB-2025-092.json"

affected_versions

"<1.2.16"