CVE-2022-25276
Description
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal core's Media oEmbed iframe route fails to validate the iframe domain, allowing embeds in the primary domain context, potentially leading to XSS or cookie theft.
The vulnerability occurs in Drupal core's Media oEmbed iframe route, which does not properly validate the iframe domain setting [2][3]. This allows oEmbed embeds to be displayed in the context of the primary domain, bypassing same-origin restrictions.
An attacker can exploit this by crafting a malicious oEmbed URL or embedding content from an untrusted domain. Since the iframe domain is not validated, the embedded content is rendered within the security context of the primary domain, enabling cross-site scripting (XSS) or cookie leakage [2][3].
Successful exploitation could lead to XSS attacks, theft of authentication cookies, or other vulnerabilities that rely on executing script in the victim's session [2][3].
The issue is fixed in Drupal 9.4.3 and 9.3.19 [3]. Drupal 7 is not affected as it does not include the Media module. Drupal 8 and earlier versions have reached end-of-life and are not patched [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0.0, < 9.3.19 | 9.3.19 |
drupal/corePackagist | >= 9.4.0, < 9.4.3 | 9.4.3 |
Affected products
3- osv-coords2 versions
>= 9.3.0, < 9.3.19+ 1 more
- (no CPE)range: >= 9.3.0, < 9.3.19
- (no CPE)range: >= 8.0.0, < 9.3.19
- Drupal/Corev5Range: 9.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-4wfq-jc9h-vpcxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25276ghsaADVISORY
- www.drupal.org/sa-core-2022-015ghsaWEB
News mentions
0No linked articles in our index yet.