logo

Database

Clickjacking In tarteaucitronjs

Description

tarteaucitron.js allows UI manipulation via unrestricted CSS injection A vulnerability was identified in tarteaucitron.js, where user-controlled inputs for element dimensions (width and height) were not properly validated. This allowed an attacker with direct access to the site's source code or a CMS plugin to set values like 100%;height:100%;position:fixed;, potentially covering the entire viewport and facilitating clickjacking attacks.

Impact

An attacker with high privileges could exploit this vulnerability to:

    Overlay malicious UI elements on top of legitimate content,

    Trick users into interacting with hidden elements (clickjacking),

    Disrupt the intended functionality and accessibility of the website.

Fix https://github.com/AmauriC/tarteaucitron.js/commit/25fcf828aaa55306ddc09cfbac9a6f8f126e2d07

The issue was resolved by enforcing strict validation and sanitization of user-provided CSS values to prevent unintended UI manipulation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-311382. NVD-2025-311383. OSV-2025-311384. GHSA-7524-3396-fqv35. GCVE-2025-31138

References

1. https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-7524-3396-fqv32. https://github.com/AmauriC/tarteaucitron.js/commit/25fcf828aaa55306ddc09cfbac9a6f8f126e2d07

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.