CVE-2025-48918

| EUVD-2025-18291 HIGH
2025-06-13 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 21:34 euvd
EUVD-2025-18291
Analysis Generated
Mar 14, 2026 - 21:34 vuln.today
CVE Published
Jun 13, 2025 - 16:15 nvd
HIGH 8.8

Tags

XSS Drupal PHP Simple Klaro

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple Klaro allows Cross-Site Scripting (XSS).This issue affects Simple Klaro: from 0.0.0 before 1.10.0.

Analysis

Stored/Reflected Cross-Site Scripting (XSS) vulnerability in Drupal Simple Klaro module versions before 1.10.0 that fails to properly neutralize user input during web page generation. An unauthenticated remote attacker can inject malicious scripts that execute in victims' browsers with high impact on confidentiality and integrity, though the attack requires user interaction (clicking a malicious link). The vulnerability has a high CVSS score of 8.8 due to its network-based attack vector and broad scope, but real-world exploitation likelihood depends on KEV/EPSS data not provided in available intelligence.

Technical Context

The Drupal Simple Klaro module (CPE identifier likely: cpe:2.3:a:drupal:simple_klaro:*:*:*:*:*:*:*:*) is a consent management extension for Drupal that integrates the Klaro.js cookie consent library. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating the module fails to sanitize or escape user-controlled input before rendering it in HTML context. This allows attackers to inject arbitrary JavaScript code that executes within the security context of the Drupal site. The root cause likely involves inadequate use of Drupal's sanitization APIs (such as XSS::filter() or proper output escaping) when processing Klaro configuration parameters, consent preferences, or related UI elements. Version 0.0.0 through 1.9.x are vulnerable; patching occurred at version 1.10.0.

Affected Products

Simple Klaro (0.0.0 to 1.9.x (all versions before 1.10.0))

Remediation

- action: Immediate Patching; details: Upgrade Drupal Simple Klaro module to version 1.10.0 or later. Check Drupal.org module page for security advisory and update links. - action: Verification; details: After patching, clear Drupal caches (drush cache:rebuild or via admin UI) and verify module version via /admin/modules or drush status. - action: Workaround (Temporary); details: If immediate patching is not feasible, disable the Simple Klaro module until patch is applied. Implement alternative cookie consent via other secure modules or hardcoded HTML until remediated. - action: Code Review; details: Audit any custom Drupal code that integrates with Simple Klaro to ensure downstream sanitization is applied if user data is processed. - action: Security Headers; details: Implement Content-Security-Policy (CSP) headers to mitigate XSS impact: Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'. - action: References; details: Consult Drupal Security Advisory: https://www.drupal.org/project/simple_klaro (check security advisories tab) and https://security.drupal.org for official guidance.

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Share

CVE-2025-48918 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy