logo

Database

Insecure service configuration In drupal/cookies

Description

The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent.

Each sub-module allows to include a specific third party service in the consent management, by controlling the execution of javascript. However, this does not adequately check whether the provided JavaScript code originates from authorized users.

A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-489152. NVD-2025-489153. OSV-DRUPAL-CONTRIB-2025-0764. OSV-2025-489155. GCVE-2025-489156. drupal.org

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.