CVE-2025-71310 | THREATINT

Description

The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration.

PUBLISHED Reserved 2026-05-26 | Published 2026-05-26 | Updated 2026-05-26 | Assigner mitre

LOW: 1.8CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L

Problem types

CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Product status

Default status

unaffected

Any version before 1.x-1.3.5

affected

References

backdropcms.org/security/sa-contrib-2025-013

cve.org (CVE-2025-71310)

nvd.nist.gov (CVE-2025-71310)

Download JSON