Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048
  • Date: Wed, 7 May 2025 17:06:27 +0000 (UTC)
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=ZeroodLA; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 07FC342310
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 16C6460E93
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-048

Project: oEmbed Providers [1]
Date: 2025-May-07
Security risk: *Moderately critical* 10 ∕ 25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting

Affected versions: <2.2.2
CVE IDs: CVE-2025-47702
Description: 
This module extends the core Media module and allows site creators to permit
oEmbed providers in addition to YouTube and Vimeo, which are deemed
trustworthy by the Drupal Security Team.

The module doesn't sufficiently mark its administrative permission as
restricted, creating the possibility for the permission to be granted too
broadly and to users without the ability to adequately vet providers. A
malicious provider could execute a Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must 1) have a
role with the permission "administer oembed providers", 2) have a role with
the ability to create or edit Media entities, and 3) have provisioned a
publicly-accessible, malicious provider.

Solution: 
Install the latest version:

* If you use oEmbed Providers module for Drupal, upgrade to oEmbed Providers
2.2.2 [3]

It is also recommended to review which roles are granted the "administer
oembed providers" permission.

Reported By: 
* Pierre Rudloff (prudloff) [4]

Fixed By: 
* Chris Burge (chris burge) [5]

Coordinated By: 
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team


[1] https://www.drupal.org/project/oembed_providers
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/oembed_providers/releases/2.2.2
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/chris-burge
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048, security-news, 07.05.2025

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang