DRUPAL-CONTRIB-2024-016

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tacjs/DRUPAL-CONTRIB-2024-016.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-016

Aliases

CVE-2024-13252

Published

2024-03-27T17:16:26Z

Modified

2025-12-10T23:41:25.041672Z

Summary

[none]

Details

This module enables sites to comply with the European cookie law using tarteaucitron.js.

The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting (XSS) vulnerability. More details are available in CVE-2023-3620.

This vulnerability is mitigated by the fact that an attacker needs to be able to write content in the page, a feature commonly available on Drupal sites.

References

https://www.drupal.org/sa-contrib-2024-016

Credits

- Pierre Rudloff
- - https://www.drupal.org/user/3611858

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/tacjs

Package

Name: drupal/tacjs
Purl: pkg:composer/drupal/tacjs

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

6.5.0

Database specific

{
    "constraint": "<6.5.0"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tacjs/DRUPAL-CONTRIB-2024-016.json"

affected_versions

"<6.5.0"