Overview
Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications. The EU Cookie Compliance (GDPR Compliance) module addresses the General Data Protection Regulation (GDPR) and the EU Directive on Privacy and Electronic Communications.
Users are able to identify JavaScript files in the configuration form of the module that will be blocked by the module when consent is not given. Because the module does not sufficiently verify whether "disabled JavaScript" entries exist or can be found on the page, an attacker could inject and execute arbitrary JavaScript. The attacker adds a malicious script that the module attempts to manage, thereby running the script.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer EU Cookie Compliance banner."
This issue affects all versions of EU Cookie Compliance lower than 7.x-1.45.
Details
Module Info
Product: Drupal
Affected modules: EU Cookie Compliance (GDPR Compliance)
Affected versions: <7.x-1.45
Project page: https://www.drupal.org/project/eu_cookie_compliance
Vulnerability Info
This medium-severity vulnerability is found in the EU Cookie Compliance contributed module in versions lower than 7.x-1.45.
Addressing the Issue
Users of the affected component(s) should address this exploit in one of the following ways:
- Check that no unauthorized users have the Administer EU Cookie Compliance banner permission.
- Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.
Credits
- Pierre Rudloff (prudloff)
