6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-25276

GHSA ID

GHSA-4wfq-jc9h-vpcx

EPSS Score

0.78372%

CWE

CWE-79

Published

4/26/2023

Updated

11/12/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-25276

CVE-2022-25276: Lack of domain validation in Druple core

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

Drupal 7 core does not include the Media module and therefore is not affected.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-25276

GHSA ID

GHSA-4wfq-jc9h-vpcx

EPSS Score

0.78372%

CWE

CWE-79

Published

4/26/2023

Updated

11/12/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
drupal/core	composer	>= 8.0.0, < 9.3.19	9.3.19
drupal/core	composer	>= 9.4.0, < 9.4.3	9.4.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly mentions improper domain validation in the Media oEmbed iframe route. The OEmbedController::renderIframe method is the primary handler for oEmbed iframe rendering in Drupal's Media module. Before the patched versions, this controller did not implement proper domain validation checks when generating iframe content, allowing arbitrary domains to be embedded. This matches the CWE-79 (XSS) pattern of improper input validation during content generation. The confidence is high as this is the canonical oEmbed iframe handler and the vulnerability directly relates to its domain validation logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** M**i* o*m*** i*r*m* rout* *o*s not prop*rly v*li**t* t** i*r*m* *om*in s*ttin*, w*i** *llows *m***s to ** *ispl*y** in t** *ont*xt o* t** prim*ry *om*in. Un**r **rt*in *ir*umst*n**s, t*is *oul* l*** to *ross-sit* s*riptin*, l**k** *ooki*s, or ot*

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions improp*r *om*in v*li**tion in t** M**i* o*m*** i*r*m* rout*. T** `O*m****ontroll*r::r*n**rI*r*m*` m*t*o* is t** prim*ry **n*l*r *or o*m*** i*r*m* r*n**rin* in *rup*l's M**i* mo*ul*. ***or* t** p*t****

6.1

Basic Information

Concerned about an active attack path?

CVE-2022-25276: Lack of domain validation in Druple core

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI