Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN213 _____________________________________________________________________ DATE : 08/04/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running tarteaucitron.js versions prior to 1.20.1. ===================================================================== https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-7524-3396-fqv3 https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-4hwx-xcc5-2hfc https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-p5g4-v748-6fh8 _____________________________________________________________________ UI manipulation via unrestricted CSS injection Moderate AmauriC published GHSA-7524-3396-fqv3 Apr 7, 2025 Package tarteaucitron.js (Github) Affected versions none (on master for some hours) Patched versions 1.20.1 Description A vulnerability was identified in tarteaucitron.js, where user-controlled inputs for element dimensions (width and height) were not properly validated. This allowed an attacker with direct access to the site's source code or a CMS plugin to set values like 100%;height:100%;position:fixed;, potentially covering the entire viewport and facilitating clickjacking attacks. Impact An attacker with high privileges could exploit this vulnerability to: Overlay malicious UI elements on top of legitimate content, Trick users into interacting with hidden elements (clickjacking), Disrupt the intended functionality and accessibility of the website. Fix 25fcf82 The issue was resolved by enforcing strict validation and sanitization of user-provided CSS values to prevent unintended UI manipulation. Severity Moderate 5.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required High User interaction None Scope Changed Confidentiality Low Integrity Low Availability None CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N CVE ID CVE-2025-31138 Weaknesses CWE-1021 Credits @Rudloff Rudloff Reporter _____________________________________________________________________ Prototype pollution via custom text injection Moderate AmauriC published GHSA-4hwx-xcc5-2hfc Apr 7, 2025 Package AmauriC/tarteaucitron.js (Github) Affected versions < 1.20.1 Patched versions 1.20.1 tarteaucitronjs (npm) Affected versions < 1.20.1 Patched versions 1.20.1 Description A vulnerability was identified in tarteaucitron.js, where the addOrUpdate function, used for applying custom texts, did not properly validate input. This allowed an attacker with direct access to the site's source code or a CMS plugin to manipulate JavaScript object prototypes, leading to potential security risks such as data corruption or unintended code execution. Impact An attacker with high privileges could exploit this vulnerability to: Modify object prototypes, affecting core JavaScript behavior, Cause application crashes or unexpected behavior, Potentially introduce further security vulnerabilities depending on the application's architecture. Fix 74c354c The issue was resolved by ensuring that user-controlled inputs cannot modify JavaScript object prototypes. Severity Moderate 5.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required High User interaction None Scope Changed Confidentiality Low Integrity Low Availability None CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N CVE ID CVE-2025-31475 Weaknesses CWE-1321 _____________________________________________________________________ Url scheme injection via unfiltered inputs Moderate AmauriC published GHSA-p5g4-v748-6fh8 Apr 7, 2025 Package AmauriC/tarteaucitron.js (Github) Affected versions < 1.20.1 Patched versions 1.20.1 tarteaucitronjs (npm) Affected versions < 1.20.1 Affected versions 1.20.1 Description A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges (access to the site's source code or a CMS plugin) to enter a URL containing an insecure scheme such as javascript:alert(). Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript execution if a user clicked on a malicious link. Impact An attacker with high privileges could insert a link exploiting an insecure URL scheme, leading to: Execution of arbitrary JavaScript code Theft of sensitive data through phishing attacks Modification of the user interface behavior Fix 2fa1e01 The issue was resolved by enforcing strict URL validation, ensuring that they start with http:// or https:// before being used. Severity Moderate 4.8/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required High User interaction Required Scope Changed Confidentiality Low Integrity Low Availability None CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVE ID CVE-2025-31476 Weaknesses CWE-79 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================