Vulnerability-Lookup

Vulnerability from drupal

Published

2025-07-16 16:46

Modified

2025-07-17 14:42

Summary

Details

This module enables you to analyze the content that you're authoring for a website. It shows you a preview of what a search result might look like.

The module doesn't sufficiently escape the metadata from content while rendering the preview, opening up the possibility of a XSS attack.

This vulnerability is mitigated by the fact that an attacker must be able to author content that is analyzed by the Real-Time SEO module.

Credits

Pierre Rudloff (prudloff) www.drupal.org/u/prudloff

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003e=2.0.0 \u003c2.2.0"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/yoast_seo"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003e=2.0.0 \u003c2.2.0"
          },
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [
    "CVE-2025-7716"
  ],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/u/prudloff"
      ],
      "name": "Pierre Rudloff (prudloff)"
    }
  ],
  "details": "This module enables you to analyze the content that you\u0027re authoring for a website. It shows you a preview of what a search result might look like.\n\nThe module doesn\u0027t sufficiently escape the metadata from content while rendering the preview, opening up the possibility of a XSS attack.\n\nThis vulnerability is mitigated by the fact that an attacker must be able to author content that is analyzed by the Real-Time SEO module.",
  "id": "DRUPAL-CONTRIB-2025-091",
  "modified": "2025-07-17T14:42:36.000Z",
  "published": "2025-07-16T16:46:49.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-091"
    }
  ],
  "schema_version": "1.7.0"
}

CVE-2025-7716 (GCVE-0-2025-7716)

Vulnerability from cvelistv5 – Published: 2025-07-21 16:36 – Updated: 2025-07-22 14:01

Title

Real-time SEO for Drupal - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-091

Summary

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Real-time SEO for Drupal allows Cross-Site Scripting (XSS).This issue affects Real-time SEO for Drupal: from 2.0.0 before 2.2.0.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

drupal

References

URL

Tags

https://www.drupal.org/sa-contrib-2025-091

Impacted products

	Vendor	Product	Version
	Drupal	Real-time SEO for Drupal	Affected: 2.0.0 , < 2.2.0 (semver)

Credits

Pierre Rudloff (prudloff) Alexander Varwijk (kingdutch) Pierre Rudloff (prudloff) Damien McKenna (damienmckenna) Greg Knaddison (greggles) Pierre Rudloff (prudloff), provisional member of the Drupal Security Team Jess (xjm)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-7716",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-22T14:00:57.186300Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-22T14:01:22.850Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/yoast_seo",
          "defaultStatus": "unaffected",
          "product": "Real-time SEO for Drupal",
          "repo": "https://git.drupalcode.org/project/yoast_seo",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "2.2.0",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Pierre Rudloff (prudloff)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Alexander Varwijk (kingdutch)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Pierre Rudloff (prudloff)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Damien McKenna (damienmckenna)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison (greggles)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Pierre Rudloff (prudloff), provisional member of the Drupal Security Team"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Jess  (xjm)"
        }
      ],
      "datePublic": "2025-07-16T16:46:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Real-time SEO for Drupal allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Real-time SEO for Drupal: from 2.0.0 before 2.2.0.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Real-time SEO for Drupal allows Cross-Site Scripting (XSS).This issue affects Real-time SEO for Drupal: from 2.0.0 before 2.2.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-21T16:36:53.447Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2025-091"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Real-time SEO for Drupal - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-091",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2025-7716",
    "datePublished": "2025-07-21T16:36:53.447Z",
    "dateReserved": "2025-07-16T14:53:52.873Z",
    "dateUpdated": "2025-07-22T14:01:22.850Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from drupal

CVE-2025-7716 (GCVE-0-2025-7716)

Tags

Sightings

Nomenclature