The IframeConsent element writes HTML attributes without escaping their value.
This module has a XSS vulnerability. If an attacker is able to write an <iframe-consent> tag, they may be able to insert arbitrary JavaScript.
This vulnerability is mitigated by the fact that a text format that allows iframe-consent HTML tags with alt attributes in the necessary option (Enable JS Iframe consent) must be enabled, and an attacker must have a role allowing the creation or modification of content in a field with text the format.
Install the latest version:
- If you use the 2.x branch of Orejime, upgrade to Orejime 2.0.16.
- Pierre Rudloff (prudloff) of the Drupal Security Team
- Fabien Gutknecht (fabsgugu)
- Pierre Rudloff (prudloff) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Pierre Rudloff (prudloff) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team