Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-April-02
Vulnerability:
Cross Site Scripting
Affected versions:
<6.7.0
CVE IDs:
CVE-2025-31476
Description:
This module enables sites to comply with the European cookie law using tarteaucitron.js.
The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker needs to be able to insert specific data attributes in the page.
Solution:
Install the latest version:
- If you use the tacjs module for Drupal 8.x, upgrade to tacjs 8.x-6.7
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
