CVE-2025-71310

Summary

The GDPR cookies module for Backdrop CMS (before

1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration.

Affected Software

VendorProductVersion RangeStatus
BackdropCMSGDPR cookies module for Backdrop CMS0 < 1.x-1.3.5affected

Weaknesses

  • CWE-80: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Workarounds

Remove the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service", from all roles, or remove the YouTube service as configuration.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References