"Ricochet was very impressive with their knowledge, abilities and professionalism. We never ran into a technological roadblock or problem that couldn't be solved. They were able to offer new, cutting-edge solutions around every corner, and they were fantastic about staying in communication. It seemed like we were always able to get ahold of someone, whether it was Tuesday at 1am or Saturday at 7am, someone was quick to respond and help address an emergency or even a simple inquiry. Truly professional service, and quality work.
—Jacob Sowinski, Blue Canvas

etracker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-074

Wed, 2025-05-28 10:44 — Anonymous (not verified)

Project: etrackerDate: 2025-May-28Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: <3.1.0CVE IDs: CVE-2025-48920Description: The module adds the etracker web statistics tracking system to your website.
The cookies_etracker submodule allows the inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.
A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).Solution: Install the latest version:

If you use the etracker module for Drupal 9 and above, upgrade to etracker 8.x-3.1

Reported By:

Pierre Rudloff (prudloff)

Fixed By:

Coordinated By:

Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff)
Cathy Theys (yesct) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-074

Search form

etracker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-074