CVE-2025-71310
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L
Summary
The GDPR cookies module for Backdrop CMS (before
1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| BackdropCMS | GDPR cookies module for Backdrop CMS | 0 < 1.x-1.3.5 | affected |
Weaknesses
- CWE-80: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Workarounds
Remove the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service", from all roles, or remove the YouTube service as configuration.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.