"Ricochet has been invaluable in taking our website to the next level. Throughout the development process, they met every need and were able to find creative solutions for every curveball we threw at them. Their knowledge of the latest web technologies, professionalism, and responsiveness brought everything together for us. I can highly recommend Ricochet Consulting to anyone looking to surge past their competition."
—Scott M. Wayne,

etracker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-074

Wed, 2025-05-28 10:44 — Anonymous (not verified)

Project: etrackerDate: 2025-May-28Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <3.1.0CVE IDs: CVE-2025-48920Description: The module adds the etracker web statistics tracking system to your website.
The cookies_etracker submodule allows the inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.
A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).Solution: Install the latest version:

If you use the etracker module for Drupal 9 and above, upgrade to etracker 8.x-3.1

Reported By:

Pierre Rudloff (prudloff)

Fixed By:

Coordinated By:

Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff)
Cathy Theys (yesct) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-074

Search form

etracker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-074