"Ricochet was very impressive with their knowledge, abilities and professionalism. We never ran into a technological roadblock or problem that couldn't be solved. They were able to offer new, cutting-edge solutions around every corner, and they were fantastic about staying in communication. It seemed like we were always able to get ahold of someone, whether it was Tuesday at 1am or Saturday at 7am, someone was quick to respond and help address an emergency or even a simple inquiry. Truly professional service, and quality work.
—Jacob Sowinski, Blue Canvas

COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-049

Wed, 2025-05-07 10:06 — Anonymous (not verified)

Project: COOKiES Consent ManagementDate: 2025-May-07Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.2.14CVE IDs: CVE-2025-47703Description: The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.
The cookies_asset_injector module (a sub-module of the COOKiES module) also allows inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.
A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).Solution: Install the latest version:

If you use the COOKiES Consent Management module for Drupal 9 or above, upgrade to COOKiES Consent Management 1.2.14

Reported By:

Pierre Rudloff (prudloff)

Fixed By:

Joachim Feltkamp (jfeltkamp)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-049

Search form

COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-049