SCA: security update for tarteaucitronjs (GHSA-4hwx-xcc5-2hfc)

medium Tenable Cloud Security Plugin ID 424778

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in
tarteaucitron.js prior to 1.20.1, where the addOrUpdate function, used for applying custom texts, did not
properly validate input. This allowed an attacker with direct access to the site's source code or a CMS
plugin to manipulate JavaScript object prototypes, leading to potential security risks such as data
corruption or unintended code execution. An attacker with high privileges could exploit this vulnerability
to modify object prototypes, affecting core JavaScript behavior, cause application crashes or unexpected
behavior, or potentially introduce further security vulnerabilities depending on the application's
architecture. This vulnerability is fixed in 1.20.1. (CVE-2025-31475)

See Also

https://github.com/advisories/GHSA-4hwx-xcc5-2hfc

Plugin Details

Severity: Medium

ID: 424778

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 4/7/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.0

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:M/C:P/I:P/A:P

CVSS Score Source: CVE-2025-31475

CVSS v3

Risk Factor: Medium

Base Score: 6.6

Temporal Score: 5.8

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/7/2025

Vulnerability Publication Date: 4/7/2025

Reference Information

CVE: CVE-2025-31475