The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. https://www.drupal.org/sa-core-2022-015 https://www.drupal.org/sa-core-2022-014 https://www.drupal.org/sa-core-2022-013 https://www.drupal.org/sa-core-2022-008 https://www.drupal.org/sa-core-2022-009 https://www.drupal.org/sa-core-2022-012
Created drupal7 tracking bugs for this issue: Affects: epel-7 [bug 2190031] Affects: fedora-all [bug 2190032]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.