View online: https://www.drupal.org/sa-contrib-2025-048
Project: oEmbed Providers [1] Date: 2025-May-07 Security risk: *Moderately critical* 10 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Cross Site Scripting
Affected versions: <2.2.2 CVE IDs: CVE-2025-47702 Description: This module extends the core Media module and allows site creators to permit oEmbed providers in addition to YouTube and Vimeo, which are deemed trustworthy by the Drupal Security Team.
The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be granted too broadly and to users without the ability to adequately vet providers. A malicious provider could execute a Cross Site Scripting (XSS) attack.
This vulnerability is mitigated by the fact that an attacker must 1) have a role with the permission "administer oembed providers", 2) have a role with the ability to create or edit Media entities, and 3) have provisioned a publicly-accessible, malicious provider.
Solution: Install the latest version:
* If you use oEmbed Providers module for Drupal, upgrade to oEmbed Providers 2.2.2 [3]
It is also recommended to review which roles are granted the "administer oembed providers" permission.
Reported By: * Pierre Rudloff (prudloff) [4]
Fixed By: * Chris Burge (chris burge) [5]
Coordinated By: * Greg Knaddison (greggles) [6] of the Drupal Security Team * Juraj Nemec (poker10) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/oembed_providers [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/oembed_providers/releases/2.2.2 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/chris-burge [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/poker10