Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71310

CVE-2025-71310: Backdrop CMS GDPR Cookies XSS Vulnerability

CVE-2025-71310 is a Cross Site Scripting vulnerability in the GDPR Cookies module for Backdrop CMS that allows attackers with specific permissions to inject malicious scripts. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2025-71310 Overview

CVE-2025-71310 is a stored Cross-Site Scripting (XSS) vulnerability in the GDPR Cookies module for Backdrop CMS before version 1.x-1.3.5. The flaw exists in the optional Info content field associated with the YouTube service configuration. A user with elevated permissions can inject malicious script content that executes in the browsers of site visitors. The Backdrop CMS security team published advisory sa-contrib-2025-013 describing the issue, which is tracked under [CWE-80] (Improper Neutralization of Script-Related HTML Tags).

Critical Impact

Authenticated attackers with GDPR Cookies service management permissions can inject persistent JavaScript that executes against site visitors viewing the YouTube cookie consent interface.

Affected Products

  • Backdrop CMS GDPR Cookies module versions prior to 1.x-1.3.5
  • Sites that have configured a YouTube service within the GDPR Cookies module
  • Backdrop CMS deployments granting Create a GDPR Cookies Service or Edit any GDPR Cookies Service permissions to non-administrative roles

Discovery Timeline

  • 2026-05-26 - CVE-2025-71310 published to NVD
  • 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2025-71310

Vulnerability Analysis

The GDPR Cookies module provides cookie consent management for Backdrop CMS, including pre-configured services such as YouTube. When an administrator configures the YouTube service, the module exposes an optional Info content field intended to explain the service to visitors. The module renders this field without sufficient output encoding, allowing HTML and JavaScript supplied through it to execute in visitor browsers.

The vulnerability requires the attacker to hold a role with the Create a GDPR Cookies Service or Edit any GDPR Cookies Service permission. The target site must also have an active YouTube service configuration where the malicious content renders. Exploitation produces stored XSS that fires whenever a visitor encounters the cookie consent surface containing the YouTube service description.

Root Cause

The root cause is missing or insufficient HTML neutralization of user-supplied input on the Info content field. Backdrop's text filtering or escaping APIs were not applied to this field before rendering, leaving raw markup in the output stream. This maps to [CWE-80], where script-related HTML tags pass through to the browser unescaped.

Attack Vector

An attacker authenticated with the required permission edits or creates the YouTube GDPR Cookies service and submits a payload in the Info content field. The payload is stored in the module configuration. When a visitor loads any page that renders the YouTube consent block, the browser parses the injected markup and executes attacker-controlled JavaScript. The script runs in the visitor's session context and can perform actions such as session token theft, redirection, or DOM manipulation.

No verified public proof-of-concept code is available. See the Backdrop CMS Security Advisory for vendor technical details.

Detection Methods for CVE-2025-71310

Indicators of Compromise

  • Unexpected <script>, <img onerror=...>, or event-handler markup stored in the GDPR Cookies YouTube service Info content field
  • Outbound requests from visitor browsers to unfamiliar domains after the cookie consent banner renders
  • Audit log entries showing edits to GDPR Cookies service configuration by non-administrative roles

Detection Strategies

  • Inspect the GDPR Cookies module configuration export for HTML tags or JavaScript content within YouTube service description fields
  • Review Backdrop CMS watchdog and database logs for changes to GDPR Cookies service entries
  • Run web content security scanners against pages that render the cookie consent interface to flag reflected or stored script payloads

Monitoring Recommendations

  • Monitor role assignments granting Create a GDPR Cookies Service or Edit any GDPR Cookies Service and restrict them to trusted administrators
  • Enable Content Security Policy (CSP) headers with strict script-src directives to limit execution of inline or third-party scripts
  • Alert on configuration changes to contributed modules via file integrity monitoring or Backdrop's configuration management workflow

How to Mitigate CVE-2025-71310

Immediate Actions Required

  • Upgrade the GDPR Cookies module to version 1.x-1.3.5 or later
  • Audit existing YouTube service configurations for unexpected markup in the Info content field and sanitize any suspicious entries
  • Review which roles hold the Create a GDPR Cookies Service or Edit any GDPR Cookies Service permissions and revoke from non-trusted roles

Patch Information

The Backdrop CMS maintainers released a fix in GDPR Cookies module version 1.x-1.3.5. Refer to the Backdrop CMS Security Advisory sa-contrib-2025-013 for the official update guidance and download instructions.

Workarounds

  • Temporarily remove the YouTube service from the GDPR Cookies configuration until the module is updated
  • Restrict the GDPR Cookies service management permissions to administrative roles only
  • Deploy a Content Security Policy that blocks inline script execution to reduce exploit impact
bash
# Configuration example: restrict GDPR Cookies permissions via drush-equivalent for Backdrop
backdrop config-set gdpr_cookies.settings allowed_roles administrator

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.