Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-May-07
Security risk:
Vulnerability:
Cross Site Scripting
Affected versions:
<2.2.2
CVE IDs:
CVE-2025-47702
Description:
This module extends the core Media module and allows site creators to permit oEmbed providers in addition to YouTube and Vimeo, which are deemed trustworthy by the Drupal Security Team.
The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be granted too broadly and to users without the ability to adequately vet providers. A malicious provider could execute a Cross Site Scripting (XSS) attack.
This vulnerability is mitigated by the fact that an attacker must 1) have a role with the permission "administer oembed providers", 2) have a role with the ability to create or edit Media entities, and 3) have provisioned a publicly-accessible, malicious provider.
Solution:
Install the latest version:
- If you use oEmbed Providers module for Drupal, upgrade to oEmbed Providers 2.2.2
It is also recommended to review which roles are granted the "administer oembed providers" permission.
Reported By:
- Pierre Rudloff (prudloff) Provisional Member of the Drupal Security Team
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
