CVE-2025-48915

| EUVD-2025-18288 HIGH
2025-06-13 [email protected]
8.6
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 21:34 euvd
EUVD-2025-18288
Analysis Generated
Mar 14, 2026 - 21:34 vuln.today
CVE Published
Jun 13, 2025 - 16:15 nvd
HIGH 8.6

Tags

XSS Drupal PHP Cookies Consent Management

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15.

Analysis

Cross-Site Scripting (XSS) vulnerability in Drupal's COOKiES Consent Management module that allows unauthenticated remote attackers to inject and execute malicious scripts during web page generation. All versions from 0.0.0 before 1.2.15 are affected. The vulnerability has a high CVSS score of 8.6 with no authentication or user interaction required, enabling attackers to compromise confidentiality, modify page content, and degrade availability. The network-based attack vector and low complexity indicate this is likely actively exploitable in real-world deployments.

Technical Context

The vulnerability exists in the Drupal COOKiES Consent Management module (CPE: cpe:2.3:a:drupal:cookies_consent_management:*), which is a web-based cookie consent banner and management solution for Drupal-based websites. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic XSS vulnerability where user-controlled input or configuration data is rendered into HTML/JavaScript without proper sanitization or output encoding. In the context of a cookie consent management tool, this likely involves inadequate escaping of cookie policy text, consent messages, or configuration parameters that are reflected in the dynamically generated consent banner. The module operates within Drupal's rendering pipeline, where content should be properly sanitized using Drupal's XHTML filter or equivalent functions before output. The failure to do so allows attackers to bypass the cookie consent interface entirely and inject arbitrary client-side code.

Affected Products

COOKiES Consent Management (0.0.0 to 1.2.14 (inclusive))

Remediation

Immediate Patch: Upgrade Drupal COOKiES Consent Management module to version 1.2.15 or later; priority: CRITICAL; method: Use Drupal's module update system (Manage > Extend > Update or via Composer: composer update drupal/cookies_consent_management) Verification: After patching, verify the module version: drush pm-info cookies_consent_management or check /admin/modules; priority: HIGH Interim Mitigation (if patching delayed): Disable the COOKiES Consent Management module temporarily via /admin/modules if the delay in patching is necessary; this removes the attack surface entirely; priority: MEDIUM Input Validation Review: If operating a custom fork or extension, audit all cookie policy text, consent message fields, and configuration parameters to ensure they are properly sanitized using Drupal's sanitizer functions (e.g., Xss::filter(), htmlspecialchars() with ENT_QUOTES, or Drupal's render array #plain_text property); priority: HIGH WAF/Content Security Policy: Implement or strengthen Content Security Policy (CSP) headers to restrict inline script execution and limit XSS blast radius, even if exploitation occurs; priority: MEDIUM

Priority Score

43
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +43
POC: 0

Share

CVE-2025-48915 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy