Description

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges (access to the site's source code or a CMS plugin) to enter a URL containing an insecure scheme such as javascript:alert(). Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript execution if a user clicked on a malicious link. An attacker with high privileges could insert a link exploiting an insecure URL scheme, leading to execution of arbitrary JavaScript code, theft of sensitive data through phishing attacks, or modification of the user interface behavior. This vulnerability is fixed in 1.20.1.

INFO

Published Date :

2025-04-07T14:52:12.728Z

Last Modified :

2025-06-12T21:03:38.700Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-31476 vulnerability.

Vendors Products
Amauri
  • Tarteaucitronjs
Tacjs Project
  • Tacjs
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-31476.

URL Resource
https://github.com/AmauriC/tarteaucitron.js/commit/2fa1e01023bce2e4b813200600bb1619d56ceb02 cve-icon cve-icon
https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-p5g4-v748-6fh8 cve-icon cve-icon
https://www.drupal.org/sa-contrib-2025-027 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact