logo

Database

Reflected cross-site scripting (XSS) In tarteaucitronjs

Description

tarteaucitron.js allows url scheme injection via unfiltered inputs A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges (access to the site's source code or a CMS plugin) to enter a URL containing an insecure scheme such as javascript:alert(). Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript execution if a user clicked on a malicious link.

Impact

An attacker with high privileges could insert a link exploiting an insecure URL scheme, leading to:

    Execution of arbitrary JavaScript code

    Theft of sensitive data through phishing attacks

    Modification of the user interface behavior

Fix https://github.com/AmauriC/tarteaucitron.js/commit/2fa1e01023bce2e4b813200600bb1619d56ceb02

The issue was resolved by enforcing strict URL validation, ensuring that they start with http:// or https:// before being used.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-314762. NVD-2025-314763. OSV-2025-314764. OSV-DRUPAL-CONTRIB-2025-0275. GHSA-p5g4-v748-6fh86. GCVE-2025-314767. drupal.org

References

1. https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-p5g4-v748-6fh82. https://github.com/AmauriC/tarteaucitron.js/commit/2fa1e01023bce2e4b813200600bb1619d56ceb02

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.