"We run a non-profit summer camp and hired Ricochet to design our camper and staff database from scratch. Their initial design was custom fit to suit our needs and as those needs have evolved the helpful staff at Ricochet have insured that timely changes keep our database up to date and running smoothly. Thanks for the fantastic service and personal attention, it's made a huge difference for our camp!"
—Chrissie Endler, Camp del Corazon

IFrame Remove Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-051

Wed, 2025-05-07 10:07 — Anonymous (not verified)

Project: IFrame Remove FilterDate: 2025-May-07Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingAffected versions: <2.0.5CVE IDs: CVE-2025-47705Description: This module enables you to add a filter to text formats (Full HTML, Filtered HTML), which will remove every iframe where the "src" is not on the allowlist.
The module doesn't sufficiently filter these iframes in certain situations.
This vulnerability is mitigated by the fact that an attacker must be able to edit content that allows iframes.Solution: Install the latest version:

If you use the IFrame Remove Filter module for Drupal 10.x or 11.x, upgrade to IFrame Remove Filter 2.0.5

Reported By:

Pierre Rudloff (prudloff)

Fixed By:

Bálint Nagy (nagy.balint)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Drew Webber (mcdruid) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff)

Path to article https://www.drupal.org/sa-contrib-2025-051

Search form

IFrame Remove Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-051