Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-25276

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

Published

2023-04-26T15:15:08.663

Last Modified

2025-02-03T19:15:09.243

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

Weaknesses

Type: Primary
CWE-79
Type: Secondary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	drupal	drupal	< 9.3.19	Yes
Application	drupal	drupal	< 9.4.3	Yes

References

https://www.drupal.org/sa-core-2022-015 Vendor Advisory ([email protected])
https://www.drupal.org/sa-core-2022-015 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)