etracker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-074
Project: etrackerDate: 2025-May-28Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <3.1.0CVE IDs: CVE-2025-48920Description: The module adds the etracker web statistics tracking system to your website.
The cookies_etracker submodule allows the inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.
A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).Solution: Install the latest version:
- If you use the etracker module for Drupal 9 and above, upgrade to etracker 8.x-3.1
Reported By:
Fixed By:
Coordinated By:
- Juraj Nemec (poker10) of the Drupal Security Team
- Pierre Rudloff (prudloff)
- Cathy Theys (yesct) of the Drupal Security Team