logo

Database

OS Command Injection In drupal/cookies

Description

The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.

The cookies_asset_injector module (a sub-module of the COOKiES module) also allows inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.

A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-477032. NVD-2025-477033. OSV-DRUPAL-CONTRIB-2025-0494. OSV-2025-477035. GCVE-2025-477036. drupal.org

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.