DRUPAL-CONTRIB-2019-033

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/eu_cookie_compliance/DRUPAL-CONTRIB-2019-033.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2019-033
Published
2019-03-06T18:16:22Z
Modified
2025-12-10T23:29:56.997332Z
Summary
[none]
Details

This module addresses the General Data Protection Regulation (GDPR) that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user when the website stores cookies on their computer or otherwise handles their personal information.

The module doesn't sufficiently sanitize data for some interface labels and strings shown in the cookie policy banner, opening up possibility of Cross Site Scripting exploits that can be created by somebody that has access to the admin interface of the module.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer EU Cookie Compliance banner". For Drupal 8, the vulnerability also requires access to a text format that doesn't sanitize data.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/eu_cookie_compliance

Package

Name
drupal/eu_cookie_compliance
Purl
pkg:composer/drupal/eu_cookie_compliance

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.0
Database specific
{
    "constraint": "<1.3.0"
}

Database specific

affected_versions
"<1.3.0"
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/eu_cookie_compliance/DRUPAL-CONTRIB-2019-033.json"