Cross-site Scripting Vulnerability in Tarteaucitron.js by Amauri C.
CVE-2025-1467

5.1MEDIUM

Key Information:

Vendor: Amauri C.
Status: Tarteaucitronjs
Vendor: CVE Published:; 23 February 2025

Summary

Tarteaucitron.js versions before 1.17.0 are susceptible to Cross-site Scripting (XSS) vulnerabilities through the getElemWidth() and getElemHeight() functions. Attackers can exploit this flaw to execute arbitrary scripts in the context of a user's session, potentially leading to data theft and unauthorized actions within affected web applications.

Affected Version(s)

tarteaucitronjs 0 < 1.17.0

References

https://security.snyk.io/vuln/SNYK-JS-TARTEAUCITRONJS-873...

https://github.com/AmauriC/tarteaucitron.js/commit/124905...

https://github.com/AmauriC/tarteaucitron.js/issues/1184

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Feb 23, 2025
Vulnerability Reserved
Feb 19, 2025

Credit

François (mably)