Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-May-07
Vulnerability:
Cross Site Scripting
Affected versions:
<1.2.14
CVE IDs:
CVE-2025-47703
Description:
The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.
The cookies_asset_injector module (a sub-module of the COOKiES module) also allows inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.
A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).
Solution:
Install the latest version:
- If you use the COOKiES Consent Management module for Drupal 9 or above, upgrade to COOKiES Consent Management 1.2.14
Reported By:
- Pierre Rudloff (prudloff) Provisional Member of the Drupal Security Team
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
