MEDIUM🇵🇱 Wersja polska

CVE-2025-48939

CVSS 4.2v3.1pub. 2025-07-03upd. 2025-10-21

tarteaucitron.js is a compliant and accessible cookie banner. Prior to version 1.22.0, a vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual <script> element. If an attacker injected an HTML element, it could clobber the document.currentScript property. This causes the script to resolve incorrectly to an element instead of the <script> tag, leading to unexpected behavior or failure to load the script path correctly. This issue arises because in some browser environments, named DOM elements become properties on the global document object. An attacker with control over the HTML could exploit this to change the CDN domain of tarteaucitron. This issue has been patched in version 1.22.0.

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:L
  • Amauri Tarteaucitronjs

    APP
    Amauri
    < 1.22.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-22809MEDIUM4.4ten sam produkt

tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of ...

CVE-2025-31138MEDIUM5.5ten sam produkt

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron....

CVE-2025-31475MEDIUM5.5ten sam produkt

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron....

CVE-2025-31476MEDIUM4.8ten sam produkt

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron....

CVE-2024-13888HIGH7.2ten sam vendor

The WPMobile.App plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 11....