Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-May-28
Vulnerability:
Cross Site Scripting
Affected versions:
<1.2.15
CVE IDs:
CVE-2025-48915
Description:
The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.
Each sub-module allows to include a specific third party service in the consent management, by controlling the execution of javascript. However, this does not adequately check whether the provided JavaScript code originates from authorized users.
A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).
Solution:
Install the latest version:
- If you use the COOKiES Consent Management module for Drupal 9 or above, upgrade to COOKiES Consent Management 1.2.15
Reported By:
- Pierre Rudloff (prudloff) Provisional Member of the Drupal Security Team
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Cathy Theys (yesct) of the Drupal Security Team
