Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092
  • Date: Wed, 23 Jul 2025 17:10:20 +0000 (UTC)
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=N4FeC6fs; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 2BCBB405ED
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org AB5D140112
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2025-092

Project: COOKiES Consent Management [1]
Date: 2025-July-23
Security risk: *Moderately critical* 12 ∕ 25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross-site Scripting

Affected versions: <1.2.16
CVE IDs: CVE-2025-8092
Description: 
This module allows you to manage video media items using the COOKiES module
(disabling external video elements). These elements will be enabled again,
once the COOKiES banner is accepted.

The module doesn't sufficiently check whether to convert "data-src"
attributes to "src" when their value might contain malicious content under
the scenario, that module specific classes are set on the HTML element.

This vulnerability is mitigated by the fact that an attacker must have the
correct permissions to have a specific HTML element display for all users,
and this HTML element needs to have a specific class set.

Solution: 
Install the latest version:

* If you use the COOKiES Video submodule for Drupal upgrade to COOKiES
1.2.16 [3]

Reported By: 
* Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security
Team

Fixed By: 
* Joshua Sedler (grevil) [5]
* Joachim Feltkamp (jfeltkamp) [6]

Coordinated By: 
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
* Pierre Rudloff (prudloff) [9] provisional member of the Drupal Security
Team
* Cathy Theys (yesct) [10] of the Drupal Security Team


[1] https://www.drupal.org/project/cookies
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/cookies/releases/1.2.16
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/grevil
[6] https://www.drupal.org/u/jfeltkamp
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/poker10
[9] https://www.drupal.org/u/prudloff
[10] https://www.drupal.org/u/yesct

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092, security-news, 23.07.2025

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang