A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges (access to the site's source code or a CMS plugin) to enter a URL containing an insecure scheme such as javascript:alert(). Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript execution if a user clicked on a malicious link.
Impact
An attacker with high privileges could insert a link exploiting an insecure URL scheme, leading to:
- Execution of arbitrary JavaScript code
- Theft of sensitive data through phishing attacks
- Modification of the user interface behavior
The issue was resolved by enforcing strict URL validation, ensuring that they start with http:// or https:// before being used.
A vulnerability was identified in
tarteaucitron.js, allowing a user with high privileges (access to the site's source code or a CMS plugin) to enter a URL containing an insecure scheme such asjavascript:alert(). Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript execution if a user clicked on a malicious link.Impact
An attacker with high privileges could insert a link exploiting an insecure URL scheme, leading to:
Fix 2fa1e01
The issue was resolved by enforcing strict URL validation, ensuring that they start with
http://orhttps://before being used.