[IT-SecNots] [Security-news] IFrame Remove Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-051

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-051

Project: IFrame Remove Filter [1]
Date: 2025-May-07
Security risk: *Moderately critical* 14 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting

Affected versions: <2.0.5
CVE IDs: CVE-2025-47705
Description: 
This module enables you to add a filter to text formats (Full HTML, Filtered
HTML), which will remove every iframe where the "src" is not on the
allowlist.

The module doesn't sufficiently filter these iframes in certain situations.

This vulnerability is mitigated by the fact that an attacker must be able to
edit content that allows iframes.

Solution: 
Install the latest version:

 * If you use the IFrame Remove Filter module for Drupal 10.x or 11.x,
   upgrade to IFrame Remove Filter 2.0.5 [3]

Reported By: 
 * Pierre Rudloff (prudloff) [4]

Fixed By: 
 * Bálint Nagy (nagy.balint) [5]

Coordinated By: 
 * Greg Knaddison (greggles) [6] of the Drupal Security Team
 * Drew Webber (mcdruid) [7] of the Drupal Security Team
 * Juraj Nemec (poker10) [8] of the Drupal Security Team


[1] https://www.drupal.org/project/iframeremove
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/iframeremove/releases/2.0.5
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/nagybalint
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/mcdruid
[8] https://www.drupal.org/u/poker10

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news