Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087
  • Date: Wed, 9 Jul 2025 16:37:28 +0000 (UTC)
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=aMKyLead; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::136 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 7D8F461226
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 8968B40123
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-087

Project: Cookies Addons [1]
Date: 2025-July-09
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site Scripting

Affected versions: >1.0.0 < 1.2.4
CVE IDs: CVE-2025-7392
Description: 
This module provides a format filter, which allows you to "disable" iframes
(e.g. remove their src attribute) specified by the user. These elements will
be enabled again, once the Cookies banner is accepted.

The module doesn't sufficiently filter user-supplied content when their value
might contain malicious content leading to a Cross-site Scripting (XSS)
vulnerability.

This vulnerability is mitigated by the fact that the site must have the
Cookies Addons Embed Iframe submodule enabled and an attacker must have the
correct permissions to use a text field with a text format that allows
iframes to be used.

Solution: 
Install the latest version:

* Upgrade to Cookies Addons 1.2.4 [3]

Reported By: 
* Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security
Team

Fixed By: 
* Guido Schmitz (guido_s) [5]
* Kostia Bohach (_shy) [6]

Coordinated By: 
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Pierre Rudloff (prudloff) [8] provisional member of the Drupal Security
Team


[1] https://www.drupal.org/project/cookies_addons
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/cookies_addons/releases/1.2.4
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/guido_s
[6] https://www.drupal.org/u/_shy
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/prudloff

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087, security-news, 09.07.2025

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang