Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-075

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-075


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-075
  • Date: Wed, 28 May 2025 17:45:38 +0000 (UTC)
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=VC+miMvR; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org BB55441965
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 0CD2E607C4
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2025-075

Project: COOKiES Consent Management [1]
Date: 2025-May-28
Security risk: *Moderately critical* 12 ∕ 25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Affected versions: <1.2.15
CVE IDs: CVE-2025-48914
Description: 
This module provides a format filter, which allows you to "disable" certain
HTML elements (e.g. remove their src attribute) specified by the user. These
elements will be enabled again, once the COOKiES banner is accepted.

The module doesn't sufficiently check whether to convert "data-src"
attributes to "src" when their value might contain malicious content under
the scenario, that module specific classes are set on the HTML element.

This vulnerability is mitigated by the fact that the site must have the
COOKiES filter submodule enabled and an attacker must have the correct
permissions to have a specific HTML element display for all users, and this
HTML element needs to have three concise classes set.

Solution: 
Install the latest version:

* If you use the COOKiES Consent Management module for Drupal 9 or above,
upgrade to COOKiES Consent Management 1.2.15 [3]

Reported By: 
* Pierre Rudloff (prudloff) [4]

Fixed By: 
* Julian Pustkuchen (anybody) [5]
* Joshua Sedler (grevil) [6]
* Joachim Feltkamp (jfeltkamp) [7]

Coordinated By: 
* Juraj Nemec (poker10) [8] of the Drupal Security Team
* Cathy Theys (yesct) [9] of the Drupal Security Team


[1] https://www.drupal.org/project/cookies
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/cookies/releases/1.2.15
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/anybody
[6] https://www.drupal.org/u/grevil
[7] https://www.drupal.org/u/jfeltkamp
[8] https://www.drupal.org/u/poker10
[9] https://www.drupal.org/u/yesct

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-075, security-news, 28.05.2025

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang