TacJS – Moderately critical – Cross Site Scripting – SA-CONTRIB-2024-016

Drupal Security Advisory

Project: 
Date: 
2024-March-27
Vulnerability: 
Cross Site Scripting
Affected versions: 
<6.5.0
Description: 

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn’t sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting (XSS) vulnerability. More details are available in CVE-2023-3620.

This vulnerability is mitigated by the fact that an attacker needs to be able to write content in the page, a feature commonly available on Drupal sites.

Solution: 

Install the latest version:

  • If you use the tacjs module for Drupal 8.x, upgrade to tacjs 8.x-6.5
Reported By: 
Coordinated By: 

READ MORE