oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048
Project: oEmbed ProvidersDate: 2025-May-07Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingAffected versions: <2.2.2CVE IDs: CVE-2025-47702Description: This module extends the core Media module and allows site creators to permit oEmbed providers in addition to YouTube and Vimeo, which are deemed trustworthy by the Drupal Security Team.
The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be granted too broadly and to users without the ability to adequately vet providers. A malicious provider could execute a Cross Site Scripting (XSS) attack.
This vulnerability is mitigated by the fact that an attacker must 1) have a role with the permission "administer oembed providers", 2) have a role with the ability to create or edit Media entities, and 3) have provisioned a publicly-accessible, malicious provider.Solution: Install the latest version:
- If you use oEmbed Providers module for Drupal, upgrade to oEmbed Providers 2.2.2
It is also recommended to review which roles are granted the "administer oembed providers" permission.Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
