Ricochet super-team Stephen Pope and Rick Destree were invaluable in upgrading the functionalities of the MarketTools corporate website, helping us implement new design elements and site structure, and launching a new website on very short notice when our business unit was acquired by Confirmit. Along the way, they taught me a lot about Drupal! Stephen’s help was critical in dealing with some difficult pre-existing server environment issues, and he went the extra mile many times to get us past the crunch points. I absolutely recommend Stephen and his team!
—Laura Newton

Simple Klaro - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-073

Wed, 2025-05-28 10:44 — Anonymous (not verified)

Project: Simple KlaroDate: 2025-May-28Security risk: Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.10.0CVE IDs: CVE-2025-48919Description: The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend.
The module doesn't sufficiently sanitise data attributes allowing persistent Cross Site Scripting (XSS) attacks.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.Solution: Install the latest version:

If you use the "Simple Klaro" module for Drupal 9.x/10.x/11.x, upgrade to Simple Klaro 1.10.0

Reported By:

Pierre Rudloff (prudloff)

Fixed By:

Norman Kämper-Leymann (norman.lol)

Coordinated By:

Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff)
Cathy Theys (yesct) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-073

Search form

Simple Klaro - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-073