CVE-2025-6674
BaseFortify
Publication date: 2025-06-26
Last updated on: 2025-07-16
Assigner: Drupal.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gabderrahim | ckeditor5_youtube | to 1.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6674 is a Cross-site Scripting (XSS) vulnerability in the CKEditor5 Youtube module for Drupal. This module allows embedding YouTube videos into the CKEditor 5 text editor. The vulnerability occurs because the module does not properly validate iframe sources when users embed videos, allowing an attacker with permission to embed YouTube videos to exploit the XSS flaw by injecting malicious scripts. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with embedding permissions to execute malicious scripts in the context of the affected Drupal site. This could lead to unauthorized actions such as stealing user session data, defacing the website, or performing actions on behalf of other users, potentially compromising site integrity and user security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying the version of the CKEditor5 Youtube module installed in your Drupal environment. Since the vulnerability is due to improper validation of iframe sources in versions before 1.0.3, you can check the module version via Drupal's administrative interface or by running a command to list installed modules and their versions. For example, use the Drush command: `drush pm:list --type=module --status=enabled | grep ckeditor5_youtube` to identify the installed version. Additionally, monitoring for unusual iframe embed attempts or unexpected script injections in user-submitted content could indicate exploitation attempts, but no specific network commands are provided. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the CKEditor5 Youtube module to version 1.0.3 or later, as this version contains the fix for the Cross-site Scripting vulnerability. Additionally, review and restrict user permissions to embed YouTube videos via CKEditor to only trusted roles, minimizing the risk of exploitation by unauthorized users. [1]