DRUPAL-CONTRIB-2025-081

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ckeditor5_youtube/DRUPAL-CONTRIB-2025-081.json

JSON Data

https://api.test.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-081

Aliases

CVE-2025-6674

Published

2025-06-25T18:42:06Z

Modified

2025-12-09T03:14:58.209237Z

Summary

[none]

Details

The CKEditor5 Youtube module enhances content creation in Drupal by seamlessly integrating YouTube video embedding into the CKEditor 5 text editor.

The module doesn't sufficiently validate iframe sources under the scenario where a user embeds a video using the CKEditor YouTube integration leading to a Cross-site Scripting (XSS) vulnerabiity.
This vulnerability is mitigated by the fact that an attacker must have a role with necessary permissions to use CKEditor Youtube embed button.

References

https://www.drupal.org/sa-contrib-2025-081

Credits

- nico.b
- - https://www.drupal.org/u/nicob

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/ckeditor5_youtube

Package

Name: drupal/ckeditor5_youtube
Purl: pkg:composer/drupal/ckeditor5_youtube

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.0.4

Database specific

{
    "constraint": "<1.0.4"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ckeditor5_youtube/DRUPAL-CONTRIB-2025-081.json"

affected_versions

"<1.0.4"