etracker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-074

Project: etrackerDate: 2025-May-28Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <3.1.0CVE IDs: CVE-2025-48920Description: The module adds the etracker web statistics tracking system to your website.
The cookies_etracker submodule allows the inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.
A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).Solution: Install the latest version:

  • If you use the etracker module for Drupal 9 and above, upgrade to etracker 8.x-3.1

Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2025-074