IFrame Remove Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-051

Project:

IFrame Remove Filter

Date:

2025-May-07

Security risk:

Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross site scripting

Affected versions:

<2.0.5

CVE IDs:

CVE-2025-47705

Description:

This module enables you to add a filter to text formats (Full HTML, Filtered HTML), which will remove every iframe where the "src" is not on the allowlist.

The module doesn't sufficiently filter these iframes in certain situations.

This vulnerability is mitigated by the fact that an attacker must be able to edit content that allows iframes.

Solution:

Install the latest version:

If you use the IFrame Remove Filter module for Drupal 10.x or 11.x, upgrade to IFrame Remove Filter 2.0.5

Reported By:

Pierre Rudloff (prudloff) Provisional Member of the Drupal Security Team

Fixed By:

Bálint Nagy (nagy.balint)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Drew Webber (mcdruid) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff) Provisional Member of the Drupal Security Team

Contribution record

IFrame Remove Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-051

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community