Cross-Site Scripting Vulnerability in Drupal's Media oEmbed Component
CVE-2022-25276

6.1MEDIUM

Key Information:

Vendor: Drupal
Status: Core
Vendor: CVE Published:; 26 April 2023

Summary

The Media oEmbed component in Drupal features a flaw where the iframe domain setting is not properly validated. This oversight allows malicious embeds to be rendered within the context of the primary domain. Exploiting this vulnerability can lead to potential cross-site scripting attacks, facilitating the exposure of sensitive user data such as cookies and potentially allowing unauthorized actions on behalf of users.

Affected Version(s)

Core 9.4 < 9.4.3

Core 9.3 < 9.3.19

References

https://www.drupal.org/sa-core-2022-015

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 26, 2023
Vulnerability Reserved
Feb 16, 2022