Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-July-09
Vulnerability:
Cross-site Scripting
Affected versions:
>1.0.0 < 1.2.4
CVE IDs:
CVE-2025-7392
Description:
This module provides a format filter, which allows you to "disable" iframes (e.g. remove their src attribute) specified by the user. These elements will be enabled again, once the Cookies banner is accepted.
The module doesn't sufficiently filter user-supplied content when their value might contain malicious content leading to a Cross-site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that the site must have the Cookies Addons Embed Iframe submodule enabled and an attacker must have the correct permissions to use a text field with a text format that allows iframes to be used.
Solution:
Install the latest version:
- Upgrade to Cookies Addons 1.2.4
Reported By:
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
