Drupal has patched one Moderately Critical vulnerability that affect multiple versions of Drupal Core.
A remote attacker could exploit these vulnerabilities to compromise an affected system.
The Drupal vulnerability (CVE-2022-25276) affects the ‘Media oEmbed iframe route’ feature in multiple Drupal Core products.
“The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities,” Drupal noted in the advisory.
The vulnerability is fixed in Drupal 9.4.3 (if using 9.4) and Drupal 9.3.19 (if using 9.3).
All versions of Drupal 9 prior to 9.3.x are end-of-life.