[Security-news] COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092
security-news at drupal.org
security-news at drupal.org
Wed Jul 23 17:10:20 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-092
Project: COOKiES Consent Management [1]
Date: 2025-July-23
Security risk: *Moderately critical* 12 ∕ 25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross-site Scripting
Affected versions: <1.2.16
CVE IDs: CVE-2025-8092
Description:
This module allows you to manage video media items using the COOKiES module
(disabling external video elements). These elements will be enabled again,
once the COOKiES banner is accepted.
The module doesn't sufficiently check whether to convert "data-src"
attributes to "src" when their value might contain malicious content under
the scenario, that module specific classes are set on the HTML element.
This vulnerability is mitigated by the fact that an attacker must have the
correct permissions to have a specific HTML element display for all users,
and this HTML element needs to have a specific class set.
Solution:
Install the latest version:
* If you use the COOKiES Video submodule for Drupal upgrade to COOKiES
1.2.16 [3]
Reported By:
* Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security
Team
Fixed By:
* Joshua Sedler (grevil) [5]
* Joachim Feltkamp (jfeltkamp) [6]
Coordinated By:
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
* Pierre Rudloff (prudloff) [9] provisional member of the Drupal Security
Team
* Cathy Theys (yesct) [10] of the Drupal Security Team
[1] https://www.drupal.org/project/cookies
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/cookies/releases/1.2.16
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/grevil
[6] https://www.drupal.org/u/jfeltkamp
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/poker10
[9] https://www.drupal.org/u/prudloff
[10] https://www.drupal.org/u/yesct
More information about the Security-news
mailing list