CVE-2022-25276
MEDIUMDrupal 9.3.0-9.3.18 and Drupal Core 8.0.0-9.3.18 - Cross-Site Scripting via Media oEmbed Iframe Domain Validation
Title source: llmDescription
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
References (1)
Core 1
Core References
Vendor Advisory
https://www.drupal.org/sa-core-2022-015
Scores
CVSS v3
6.1
EPSS
0.0225
EPSS Percentile
84.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
drupal/core
8.0.0 - 9.3.19Packagist
drupal/drupal
9.3.0 - 9.3.19
Published
Apr 26, 2023
Tracked Since
Feb 18, 2026