Fluid Attacks Database

Description

Lack of domain validation in Druple core The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

Drupal 7 core does not include the Media module and therefore is not affected.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	drupal/drupal	>=8.0.0 <9.3.19 \|\| >=9.4.0 <9.4.3	9.3.19, 9.4.3
packagist	drupal/core	>=8.0.0 <9.3.19 \|\| >=9.4.0 <9.4.3	9.3.19, 9.4.3

Aliases

1. CVE-2022-252762. NVD-2022-252763. OSV-2022-252764. GCVE-2022-25276

References

1. https://www.drupal.org/sa-core-2022-015