DRUPAL-CONTRIB-2025-071

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/simple_klaro/DRUPAL-CONTRIB-2025-071.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-071

Aliases

CVE-2025-48918

Published

2025-05-28T17:43:23Z

Modified

2025-12-10T23:41:27.321449Z

Summary

[none]

Details

The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend.

The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be granted too broadly. A malicious admin could execute a Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role with the "administer simple klaro" permission.

References

https://www.drupal.org/sa-contrib-2025-071

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/simple_klaro

Package

Name: drupal/simple_klaro
Purl: pkg:composer/drupal/simple_klaro

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.10.0

Database specific

{
    "constraint": "<1.10.0"
}

Database specific

affected_versions

"<1.10.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/simple_klaro/DRUPAL-CONTRIB-2025-071.json"