Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2024-March-27
Vulnerability:
Cross Site Scripting
Affected versions:
<6.5.0
CVE IDs:
CVE-2024-13252
Description:
This module enables sites to comply with the European cookie law using tarteaucitron.js.
The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting (XSS) vulnerability. More details are available in CVE-2023-3620.
This vulnerability is mitigated by the fact that an attacker needs to be able to write content in the page, a feature commonly available on Drupal sites.
Solution:
Install the latest version:
- If you use the tacjs module for Drupal 8.x, upgrade to tacjs 8.x-6.5
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
