EUVD-2025-18289
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
4Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.15.
Analysis
Stored/Reflected Cross-Site Scripting (XSS) vulnerability in Drupal's COOKiES Consent Management module (versions before 1.2.15) that allows unauthenticated attackers to inject malicious scripts into web pages due to improper input neutralization. The vulnerability has a CVSS score of 8.6 (High severity) with network-based attack vector requiring no privileges or user interaction, enabling attackers to compromise confidentiality, integrity, and availability of affected sites. No active KEV or widespread public PoC data is available in standard vulnerability databases, suggesting limited real-world exploitation at time of analysis, though the high CVSS and ease of exploitation (AV:N/AC:L/PR:N/UI:N) warrant immediate patching.
Technical Context
The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic XSS flaw where user-supplied input is rendered directly into HTML/JavaScript contexts without sanitization or encoding. The Drupal COOKiES Consent Management module (CPE: drupal:cookies_consent_management) fails to properly escape or filter input before displaying it in dynamically generated web pages, likely within cookie consent banner templates, configuration forms, or consent tracking mechanisms. Drupal modules leverage the Drupal Form API and theme rendering system; the flaw likely occurs in hook implementations (hook_form_alter, hook_preprocess_*, or custom theme functions) where user data from cookie consent settings, banner text customization, or tracking parameters is passed to render arrays without using proper Drupal sanitization functions (e.g., Html::escape(), Xss::filter()) or Twig autoescaping.
Affected Products
Drupal COOKiES Consent Management module: all versions from 0.0.0 up to and including 1.2.14. Affected component identified as drupal:cookies_consent_management with affected version range <1.2.15. This module is commonly installed on Drupal 9.x and 10.x sites managing GDPR/CCPA cookie compliance. Specific configurations at risk include any Drupal installation with COOKiES Consent Management enabled and exposed consent forms, banner text fields, or tracking ID parameters that accept user input. Vendor advisory likely available at drupal.org/project/cookies_consent_management security advisories page.
Remediation
Immediate actions: (1) Update Drupal COOKiES Consent Management module to version 1.2.15 or later, which includes input neutralization fixes; (2) If immediate patching is impossible, disable the module temporarily or restrict access to configuration forms using Drupal permissions (limit to trusted administrators only); (3) Review and sanitize any existing user-provided data in the module's database (cookie settings, custom banner text) using Drupal's database sanitization tools; (4) Implement Web Application Firewall (WAF) rules to detect and block XSS patterns in parameters known to be processed by the module (e.g., consent banner text, tracking parameters); (5) Enable Drupal's Security Review module to identify additional input handling vulnerabilities; (6) Apply Drupal security best practices: use Twig autoescaping, leverage Form API's built-in sanitization, and conduct code review of any custom hooks or theme overrides. Patch deployment should be prioritized within 48 hours given the ease of exploitation.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today