CVE-2022-25276
published 2023-04-26CVE-2022-25276: The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain…
PriorityP424medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.53%
40.5th percentile
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 8.0.0 < 9.3.19 | 9.3.19 |
| drupal | core | >= 9.3 < 9.3.19 | 9.3.19 |
| drupal | core | >= 9.4 < 9.4.3 | 9.4.3 |
| drupal | core | >= 9.4.0 < 9.4.3 | 9.4.3 |
| drupal | drupal | >= 9.3.0 < 9.3.19 | 9.3.19 |
| drupal | drupal | >= 9.4.0 < 9.4.3 | 9.4.3 |
| drupal | drupal_core | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Drupal
Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015
vendor_drupal·2022-07-20
CVE-2022-25276 [MEDIUM] Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015
Title: Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015
Vulnerability Type: Multiple vulnerabilities
Description: The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. This advisory is not covered by Drupal Steward .
Solution: Install the latest version: If you are using Drupal 9.4, update to Drupal 9.4.3 . If you are using Drupal 9.3, update to Drupal 9.3.19 . All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life . Drupal 7 core does not include the Media mo
OSV
CVE-2022-25276: The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary
osv·2023-04-26·CVSS 6.1
CVE-2022-25276 [MEDIUM] CVE-2022-25276: The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
OSV
Lack of domain validation in Druple core
osv·2023-04-26
CVE-2022-25276 [MEDIUM] Lack of domain validation in Druple core
Lack of domain validation in Druple core
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
Drupal 7 core does not include the Media module and therefore is not affected.
GHSA
Lack of domain validation in Druple core
ghsa·2023-04-26
CVE-2022-25276 [MEDIUM] CWE-79 Lack of domain validation in Druple core
Lack of domain validation in Druple core
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
Drupal 7 core does not include the Media module and therefore is not affected.
OSV
CVE-2022-25276: The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary
osv·2022-07-20
CVE-2022-25276 CVE-2022-25276: The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
This advisory is not covered by [Drupal Steward](/steward).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-04-26
Published