GDPR Cookies - Less critical - Cross Site Scripting - SA-CONTRIB-2025-013
GDPR Cookies is a module that helps to meet GDPR requirements by blocking third party services that set cookies unless and until the user consents.
The module doesn't sufficiently protect visitors from Cross Site Scripting if a malicious value has been provided for the optional 'Info content' field for the YouTube service.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service", and a site must have added a YouTube service as configuration.
A CVE has been requested, and this page will be updated as soon as an official number has been issued.
- GDPR Cookies all versions prior to 1.x-1.3.5