Project Ricochet's top notch developers, designers and PM’s allowed us to bring our vision of an e-commerce style class search to life. We had a tight budget and a lot of unexpected problems on the Berkeley side. Utilizing Ricochet's state of the art tracking tools and disciplined scrum approach allowed us to surmount every challenge and end up with a fantastic application. We loved the creative collaboration that allowed us to remake a boring campus class schedule into a high-octane search tool that our students and faculty love! Thank you Casey and the whole PR team!
—Johanna Metzgar

Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087

Wed, 2025-07-09 09:37 — Anonymous (not verified)

Project: Cookies AddonsDate: 2025-July-09Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site ScriptingAffected versions: >1.0.0 < 1.2.4CVE IDs: CVE-2025-7392Description: This module provides a format filter, which allows you to "disable" iframes (e.g. remove their src attribute) specified by the user. These elements will be enabled again, once the Cookies banner is accepted.
The module doesn't sufficiently filter user-supplied content when their value might contain malicious content leading to a Cross-site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that the site must have the Cookies Addons Embed Iframe submodule enabled and an attacker must have the correct permissions to use a text field with a text format that allows iframes to be used.Solution: Install the latest version:

Upgrade to Cookies Addons 1.2.4

Reported By:

Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By:

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-087

Search form

Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087