Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] TacJS - Moderately critical - Improper Access Control - SA-CONTRIB-2026-040

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] TacJS - Moderately critical - Improper Access Control - SA-CONTRIB-2026-040


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] TacJS - Moderately critical - Improper Access Control - SA-CONTRIB-2026-040
  • Date: Wed, 3 Jun 2026 16:11:52 +0000
  • Archived-at: <>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=cAyaNWeL; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=I7v5Kb8B; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=LuI4Zm8g; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7A70142BA5
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 270AD40027
  • Dmarc-filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 270AD40027
  • Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
  • List-archive: <>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-040

Project: TacJS [1]
Date: 2026-June-03
Security risk: *Moderately critical* 11 ∕ 25
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Improper Access Control

Affected versions: <6.8
CVE IDs:  CVE-2026-49977
Description: 
This module enables sites to comply with the European cookie law using
tarteaucitron.js.

The module doesn't sufficiently filter user-supplied markup inside of content
leading to an attacker being able to delete arbitrary cookies.

This vulnerability is mitigated by the fact that an attacker needs to be able
to insert specific data attributes in the page.

Solution: 
Install the latest version:

* If you use tacjs 8.x-6.x, upgrade to tacjs 8.x-6.8 [3]

Reported By: 
* Pierre Rudloff (prudloff) [4] of the Drupal Security Team

Fixed By: 
* Pierre Rudloff (prudloff) [5] of the Drupal Security Team

Coordinated By: 
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Pierre Rudloff (prudloff) [7] of the Drupal Security Team

Security
issue: 
https://git.drupalcode.org/security/185107-tacjs-security/-/work_items/1
[8]
------------------------------------------------------------------------------
Contribution record [9]

[1] https://www.drupal.org/project/tacjs
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tacjs/releases/8.x-6.8
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/prudloff
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/prudloff
[8] https://git.drupalcode.org/security/185107-tacjs-security/-/work_items/1
[9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3593096

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at
  • [IT-SecNots] [Security-news] TacJS - Moderately critical - Improper Access Control - SA-CONTRIB-2026-040, security-news, 03.06.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang