CVE-2025-71310

LOW EPSS 17.8%
Published May 26, 20261mo ago · Modified Jun 17, 20262w ago
1.8 CVSS 4.0
Low
Find Similar
Published May 26, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration.

CVSS Details

Base Score
1.8
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required High
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
17.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-80

References 1

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.