DRUPAL-CONTRIB-2025-073

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/simple_klaro/DRUPAL-CONTRIB-2025-073.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-073

Aliases

CVE-2025-48919

Published

2025-05-28T17:44:12Z

Modified

2025-12-10T23:41:30.503577Z

Summary

[none]

Details

The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend.

The module doesn't sufficiently sanitise data attributes allowing persistent Cross Site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.

References

https://www.drupal.org/sa-contrib-2025-073

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/simple_klaro

Package

Name: drupal/simple_klaro
Purl: pkg:composer/drupal/simple_klaro

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.10.0

Database specific

{
    "constraint": "<1.10.0"
}

Database specific

affected_versions

"<1.10.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/simple_klaro/DRUPAL-CONTRIB-2025-073.json"