[Security-news] oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048

[security-news at drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-048

Project: oEmbed Providers [1]
Date: 2025-May-07
Security risk: *Moderately critical* 10 ∕ 25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting

Affected versions: <2.2.2
CVE IDs: CVE-2025-47702
Description: 
This module extends the core Media module and allows site creators to permit
oEmbed providers in addition to YouTube and Vimeo, which are deemed
trustworthy by the Drupal Security Team.

The module doesn't sufficiently mark its administrative permission as
restricted, creating the possibility for the permission to be granted too
broadly and to users without the ability to adequately vet providers. A
malicious provider could execute a Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must 1) have a
role with the permission "administer oembed providers", 2) have a role with
the ability to create or edit Media entities, and 3) have provisioned a
publicly-accessible, malicious provider.

Solution: 
Install the latest version:

  * If you use oEmbed Providers module for Drupal, upgrade to oEmbed Providers
    2.2.2 [3]

It is also recommended to review which roles are granted the "administer
oembed providers" permission.

Reported By: 
  * Pierre Rudloff (prudloff) [4]

Fixed By: 
  * Chris Burge (chris burge) [5]

Coordinated By: 
  * Greg Knaddison (greggles) [6] of the Drupal Security Team
  * Juraj Nemec (poker10) [7] of the Drupal Security Team


[1] https://www.drupal.org/project/oembed_providers
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/oembed_providers/releases/2.2.2
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/chris-burge
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10