DRUPAL-CONTRIB-2025-087

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/cookies_addons/DRUPAL-CONTRIB-2025-087.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-087

Aliases

CVE-2025-7392

Published

2025-07-09T16:37:27Z

Modified

2025-12-10T23:41:31.857537Z

Summary

[none]

Details

This module provides a format filter, which allows you to "disable" iframes (e.g. remove their src attribute) specified by the user. These elements will be enabled again, once the Cookies banner is accepted.

The module doesn't sufficiently filter user-supplied content when their value might contain malicious content leading to a Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that the site must have the Cookies Addons Embed Iframe submodule enabled and an attacker must have the correct permissions to use a text field with a text format that allows iframes to be used.

References

https://www.drupal.org/sa-contrib-2025-087

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/cookies_addons

Package

Name: drupal/cookies_addons
Purl: pkg:composer/drupal/cookies_addons

Affected ranges

Type

ECOSYSTEM

Events

Introduced

1.0.0

Fixed

1.2.4

Database specific

{
    "constraint": ">=1.0.0 <1.2.4"
}

Database specific

patched

true

affected_versions

">=1.0.0 <1.2.4"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/cookies_addons/DRUPAL-CONTRIB-2025-087.json"