Detections
Analytics

SCA: security update for tarteaucitronjs (GHSA-q43x-79jr-cq98)

medium Tenable Self-Hosted Container Security Plugin ID 428283

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - tarteaucitron.js is a compliant and accessible cookie banner. Prior to version 1.22.0, a vulnerability was
 identified in tarteaucitron.js where document.currentScript was accessed without verifying that it
 referenced an actual <script> element. If an attacker injected an HTML element, it could clobber the
 document.currentScript property. This causes the script to resolve incorrectly to an element instead of
 the <script> tag, leading to unexpected behavior or failure to load the script path correctly. This issue
 arises because in some browser environments, named DOM elements become properties on the global document
 object. An attacker with control over the HTML could exploit this to change the CDN domain of
 tarteaucitron. This issue has been patched in version 1.22.0. (CVE-2025-48939)

See Also

https://github.com/advisories/GHSA-q43x-79jr-cq98

Plugin Details

Severity: Medium

ID: 428283

Version: Revision 1.13

Type: Local

Family: SCA Checks

Published: 7/3/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.8

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Low

Base Score: 2.9

Temporal Score: 2.3

Vector: CVSS2#AV:L/AC:L/Au:M/C:N/I:P/A:P

CVSS Score Source: CVE-2025-48939

CVSS v3

Risk Factor: Medium

Base Score: 4.2

Temporal Score: 3.8

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/3/2025

Vulnerability Publication Date: 7/3/2025

Reference Information

CVE: CVE-2025-48939

cwe: CWE-138