CVE-2022-25276

CWE-79 — Cross-site Scripting (XSS)7 documents5 sources

Severity

6.1MEDIUM

EPSS

1.3%

top 20.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Core Drupal Drupal

Timeline

PublishedApr 26

Description

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5drupal/core9.4 — 9.4.3+1

▶Packagistdrupal/core8.0.0 — 9.3.19+1

▶NVDdrupal/drupal9.3.0 — 9.3.19+1

🔴Vulnerability Details

CVEList

CVE-2022-25276: The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary↗2023-04-26

▶

OSV

CVE-2022-25276: The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary↗2023-04-26

▶

OSV

Lack of domain validation in Druple core↗2023-04-26

▶

GHSA

Lack of domain validation in Druple core↗2023-04-26

▶

OSV

CVE-2022-25276: The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary↗2022-07-20

▶

📋Vendor Advisories

Drupal

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015↗2022-07-20

▶