Platform
drupal
Component
core
Fixed in
9.3.19
9.4.3
CVE-2022-25276 describes a cross-site scripting (XSS) vulnerability within the Drupal Core's Media oEmbed iframe route. The vulnerability arises from insufficient validation of the iframe domain setting, potentially allowing embeds to execute in the primary domain's context. Successful exploitation could lead to XSS attacks, leaked cookies, or other security issues. This affects Drupal Core versions up to and including 9.3.9. The vulnerability is fixed in Drupal version 9.3.19.
CVE-2022-25276 in Drupal Core affects the oEmbed iframe route within the Media module. The vulnerability stems from improper validation of the iframe domain setting, allowing embeds to be displayed within the primary domain's context. This can potentially lead to Cross-Site Scripting (XSS), cookie leakage, or other security vulnerabilities. The risk is heightened for websites heavily utilizing third-party embeds, as an attacker could exploit this weakness to inject malicious code into protected pages, compromising user security and site integrity. Upgrading to Drupal 9.3.19 or later is crucial to mitigate this risk. Drupal 7 is not affected as it does not include the Media module.
An attacker could exploit this vulnerability by crafting a malicious oEmbed iframe pointing to an untrusted domain. If the Drupal site doesn't properly validate the iframe domain, the malicious content will load within the primary domain's context, allowing the attacker to execute arbitrary JavaScript in the user's browser. This could be used to steal session cookies, redirect users to malicious websites, or even modify the website's content. The likelihood of exploitation depends on the site's configuration and the presence of custom modules or code that interacts with the Media module.
Exploit Status
EPSS
1.26% (79% percentile)
CVSS Vector
The primary solution to address CVE-2022-25276 is to upgrade Drupal Core to version 9.3.19 or later. This update includes the necessary fixes to correctly validate the oEmbed iframe domain. Additionally, review and update any custom modules that utilize the Media module and its oEmbed functionalities. Implementing a Content Security Policy (CSP) can provide an extra layer of protection by restricting the sources of content that can be loaded on the website. Monitoring site logs for suspicious activity is also a recommended practice to detect and respond to potential exploitation attempts.
Actualice Drupal Core a la versión 9.4.3 o superior, o a la versión 9.3.19 o superior para mitigar la vulnerabilidad. Esta actualización corrige una falla de validación en la ruta de iframe de oEmbed que podría permitir la ejecución de código de secuencias de comandos entre sitios (XSS), el robo de cookies u otras vulnerabilidades.
Vulnerability analysis and critical alerts directly to your inbox.
No, Drupal 7 is not affected because it does not include the Media module.
While you cannot upgrade, consider implementing a Content Security Policy (CSP) to mitigate the risk.
oEmbed is a protocol that allows embedding content from external websites into your Drupal site.
You can verify the Drupal version on the site's administration page, in the 'Site information' section.
Yes, there are several Drupal vulnerability scanning tools, both free and paid.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.