Lucene search

GitHub Advisory DatabaseGHSA-4WFQ-JC9H-VPCX

HistoryApr 26, 2023 - 3:30 p.m.

Lack of domain validation in Druple core

2023-04-2615:30:21

CWE-79

GitHub Advisory Database

github.com

drupal

domain validation

cross-site scripting

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

18.2%

JSON

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

Drupal 7 core does not include the Media module and therefore is not affected.

Affected configurations

Vulners

Node

drupal_coredrupal_coreRange<9.4.3

drupal_coredrupal_coreRange8.0.0≥

drupal_coredrupal_coreRange<9.3.19

CPENameOperatorVersion
drupal/corelt9.4.3
drupal/corege8.0.0
drupal/corelt9.3.19

Name	Operator	Version
drupal/core	lt	9.4.3
drupal/core	ge	8.0.0
drupal/core	lt	9.3.19

References

github.com/advisories/GHSA-4wfq-jc9h-vpcx

nvd.nist.gov/vuln/detail/CVE-2022-25276

www.drupal.org/sa-core-2022-015

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

18.2%

JSON

Related for GHSA-4WFQ-JC9H-VPCX