- GDPR Cookies all versions prior to 1.x-1.3.5
GDPR Cookies is a module that helps to meet GDPR requirements by blocking third party services that set cookies unless and until the user consents.
The module doesn't sufficiently protect visitors from Cross Site Scripting if a malicious value has been provided for the optional 'Info content' field for the YouTube service.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service", and a site must have added a YouTube service as configuration.
A CVE has been requested, and this page will be updated as soon as an official number has been issued.
Upgrade your site to the most recent version of GDPR Cookies module. Download available on the GDPR Cookies module page.
- Jen Lampton of the Backdrop CMS Security Team
- Martin Price, module maintainer