CVE-2025-47704 is a Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the Drupal Klaro Cookie & Consent Management module versions prior to 3.0.5. This vulnerability arises from improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts into web pages viewed by other users. Specifically, the flaw exists in how the Klaro module handles user-supplied input, failing to adequately sanitize or encode it before rendering it in the browser context. Exploiting this vulnerability requires no privileges (PR:N) but does require user interaction (UI:R), such as clicking a crafted link or visiting a malicious page. The vulnerability has a CVSS 3.1 base score of 6.1, indicating a medium severity level. The attack vector is network-based (AV:N), meaning it can be exploited remotely over the internet without physical or local access. The scope is changed (S:C), implying that exploitation can affect resources beyond the vulnerable component, potentially impacting the confidentiality and integrity of data across the affected Drupal site. The impact primarily affects confidentiality and integrity (C:L/I:L) but does not affect availability (A:N). No known exploits are currently reported in the wild, and no official patches or mitigation links are provided yet, though the vulnerability is publicly disclosed and tracked by CISA. This vulnerability is significant because Klaro is a popular cookie and consent management tool integrated into Drupal websites, which are widely used for content management across various sectors. An attacker leveraging this XSS flaw could execute arbitrary JavaScript in the context of the victim’s browser, potentially stealing session cookies, performing actions on behalf of users, or delivering further malicious payloads.

For European organizations, this vulnerability poses a moderate risk, especially for those relying on Drupal sites with the Klaro Cookie & Consent Management module. Exploitation could lead to unauthorized disclosure of user session information, enabling account hijacking or unauthorized actions within the affected web applications. This is particularly concerning for organizations handling sensitive personal data under GDPR, as exploitation could result in data breaches and regulatory penalties. Additionally, compromised websites could be used to distribute malware or conduct phishing campaigns targeting European users. The impact is heightened for sectors such as government, finance, healthcare, and e-commerce, where trust and data integrity are paramount. Since the vulnerability requires user interaction, social engineering tactics could be employed to increase exploitation success. The lack of an official patch at the time of disclosure means organizations must act quickly to implement interim mitigations to protect their users and data.

1. Immediate upgrade: Organizations should monitor for the release of Klaro Cookie & Consent Management version 3.0.5 or later, which addresses this vulnerability, and apply the update promptly. 2. Input sanitization: Until a patch is available, implement additional server-side input validation and output encoding for any user-supplied data processed by the Klaro module. 3. Content Security Policy (CSP): Deploy a strict CSP header to restrict the execution of unauthorized scripts, mitigating the impact of potential XSS payloads. 4. User awareness: Educate users about the risks of clicking suspicious links or interacting with untrusted content on affected websites. 5. Web Application Firewall (WAF): Configure WAF rules to detect and block typical XSS attack patterns targeting the Klaro module. 6. Audit and monitoring: Conduct regular security audits of Drupal sites and monitor logs for unusual activity indicative of exploitation attempts. 7. Disable or replace: If immediate patching is not feasible, consider disabling the Klaro module or replacing it with an alternative consent management solution that is not vulnerable.