CVE-2022-25276

6.1MEDIUM

Key Information

Vendor: Drupal
Status: Core
Vendor: CVE Published:; 26 April 2023

Summary

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

Affected Version(s)

Core < 9.4.3

Core < 9.3.19

Refferences

https://www.drupal.org/sa-core-2022-015

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 26, 2023
Vulnerability Reserved
Feb 16, 2022

Collectors

NVD DatabaseMitre Database