Vulnerability Description
tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges (access to the site's source code or a CMS plugin) to enter a URL containing an insecure scheme such as javascript:alert(). Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript execution if a user clicked on a malicious link. An attacker with high privileges could insert a link exploiting an insecure URL scheme, leading to execution of arbitrary JavaScript code, theft of sensitive data through phishing attacks, or modification of the user interface behavior. This vulnerability is fixed in 1.20.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Amauri | Tarteaucitronjs | < 1.20.1 |
| Tacjs Project | Tacjs | >= 8.x-1.0, < 8.x-6.7 |
Related Weaknesses (CWE)
References
- https://github.com/AmauriC/tarteaucitron.js/commit/2fa1e01023bce2e4b813200600bb1Patch
- https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-p5g4-v748-6Third Party Advisory
- https://www.drupal.org/sa-contrib-2025-027Vendor Advisory
FAQ
What is CVE-2025-31476?
CVE-2025-31476 is a vulnerability with a CVSS score of 4.8 (MEDIUM). tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges (access to the site's source code or a CMS plugin...
How severe is CVE-2025-31476?
CVE-2025-31476 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-31476?
Check the references section above for vendor advisories and patch information. Affected products include: Amauri Tarteaucitronjs, Tacjs Project Tacjs.