Description
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Attack Vector
- network
- Complexity
- low
- Privileges
- none
- User Action
- required
- Scope
- changed
- Confidentiality
- low
- Integrity
- low
- Availability
- none
- Weaknesses
- CWE-79CWE-79
Metadata
- Primary Vendor
- DRUPAL
- Published
- 4/26/2023
- Last Modified
- 2/3/2025
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
drupal : drupaldrupal : drupal
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.