The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

Drupal 7 core does not include the Media module and therefore is not affected.

Affected Packages

Packagist drupal/core

Affected versions: 8.0.0 (fixed in 9.3.19)

Packagist drupal/core

Affected versions: 9.4.0 (fixed in 9.4.3)

Related CVEs

CVE-2022-25276

Key Information

GHSA ID

GHSA-4wfq-jc9h-vpcx

Published

April 26, 2023 3:30 PM

Last Modified

May 5, 2023 9:40 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

drupal/core

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.