tarteaucitron Cross-site Scripting (XSS)

Severity:: Low

Description

Versions of the package tarteaucitronjs before 1.17.0 are vulnerable to Cross-site Scripting (XSS) via the getElemWidth() and getElemHeight(). This is related to SNYK-JS-TARTEAUCITRONJS-8366541

Recommendation

Update the tarteaucitronjs package to the latest compatible version. Followings are version details:

Affected version(s): < 1.17.0
Patched version(s): 1.17.0

References

GHSA-8wp9-x25p-8794
security.snyk.io
CVE-2025-1467
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

QMarkdown Cross-Site Scripting (XSS) vulnerability - CVE-2025-43954
@tiptap/extension-link vulnerable to Cross-site Scripting (XSS) - CVE-2025-14284
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
DOMPurify allows Cross-site Scripting (XSS) - CVE-2025-26791

Tags:: npm; tarteaucitronjs

Anything's wrong? Let us know Last updated on February 24, 2025