The vulnerability in tarteaucitron.js arises from insufficient input validation when handling user-supplied CSS properties, specifically `width` and height. Attackers with edit privileges (e.g., CMS admins or compromised plugins) can inject malicious CSS values like `100%;height:100%;position:fixed;` to manipulate UI elements. This enables clickjacking by overlaying invisible elements atop legitimate content, hijacking user interactions. The injected styles persist due to improper sanitization, allowing persistent UI disruption.
DailyCVE Form
Platform: tarteaucitron.js
Version: <25fcf82
Vulnerability: CSS Injection
Severity: Moderate
Date: 2025-04-07
What Undercode Say:
Exploitation:
1. Payload Example:
tarteaucitron.userInterface.setDimensions("100%;height:100%;position:fixed;opacity:0;");
2. Attack Vector:
- Stored XSS via CMS plugins.
- Privileged user abuse.
Detection:
1. Check for Unfiltered Inputs:
console.log(tarteaucitron.userInterface.dimensionsValidation); // Should return sanitization function
2. Audit CSS Handling:
grep -r "setDimensions" /path/to/tarteaucitron.js
Mitigation:
1. Patch: Upgrade to commit `25fcf82` or later.
2. Sanitization Workaround:
function sanitizeDimensions(input) {
return input.replace(/[^0-9px%]/g, "");
}
3. CSP Header:
Content-Security-Policy: style-src 'self' 'unsafe-inline';
References:
- GitHub Fix: 25fcf82
- NVD: CVE-2025-XXXX
References:
Reported By: https://github.com/advisories/GHSA-7524-3396-fqv3
Extra Source Hub:
Undercode
