"We run a non-profit summer camp and hired Ricochet to design our camper and staff database from scratch. Their initial design was custom fit to suit our needs and as those needs have evolved the helpful staff at Ricochet have insured that timely changes keep our database up to date and running smoothly. Thanks for the fantastic service and personal attention, it's made a huge difference for our camp!"
—Chrissie Endler, Camp del Corazon

COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-076

Wed, 2025-05-28 10:46 — Anonymous (not verified)

Project: COOKiES Consent ManagementDate: 2025-May-28Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <1.2.15CVE IDs: CVE-2025-48915Description: The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.
Each sub-module allows to include a specific third party service in the consent management, by controlling the execution of javascript. However, this does not adequately check whether the provided JavaScript code originates from authorized users.
A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).Solution: Install the latest version:

If you use the COOKiES Consent Management module for Drupal 9 or above, upgrade to COOKiES Consent Management 1.2.15

Reported By:

Pierre Rudloff (prudloff)

Fixed By:

Joachim Feltkamp (jfeltkamp)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Cathy Theys (yesct) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-076

Search form

COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-076