Date: 
Tuesday, May 6th, 2025
Advisory ID: 
SA-CONTRIB-2025-013
Security risk: 
Less Critical
Vulnerability: 
Cross Site Scripting
Versions affected: 
  • GDPR Cookies all versions prior to 1.x-1.3.5
Description: 

GDPR Cookies is a module that helps to meet GDPR requirements by blocking third party services that set cookies unless and until the user consents. 

The module doesn't sufficiently protect visitors from Cross Site Scripting if a malicious value has been provided for the optional 'Info content' field for the YouTube service.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service", and a site must have added a YouTube service as configuration. 

 

A CVE has been requested, and this page will be updated as soon as an official number has been issued.

Solution: 

Upgrade your site to the most recent version of GDPR Cookies module. Download available on the GDPR Cookies module page

Reported By: 
Fixed By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  1. Log in to backdropcms.org
  2. Edit your profile
  3. Switch to the "Subscriptions" tab
  4. Check the box labeled "Security updates"
  5. Save the form