Cross-Site Scripting Vulnerability in Drupal's Media oEmbed Component
CVE-2022-25276
6.1MEDIUM
What is CVE-2022-25276?
The Media oEmbed component in Drupal features a flaw where the iframe domain setting is not properly validated. This oversight allows malicious embeds to be rendered within the context of the primary domain. Exploiting this vulnerability can lead to potential cross-site scripting attacks, facilitating the exposure of sensitive user data such as cookies and potentially allowing unauthorized actions on behalf of users.
Affected Version(s)
Core 9.4 < 9.4.3
Core 9.3 < 9.3.19