Google Tag - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-012
Project: Google TagDate: 2025-January-29Security risk: Moderately critical 12 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <1.8.0 || >=2.0.0 <2.0.8Description: This module enables you to integrate the site with the Google Tag Manager (GTM) application.
The module doesn't sufficiently validate the enabling or disabling of a tag container. The routes involved are not protected against Cross Site Request Forgery (CSRF).
This vulnerability is mitigated by the fact that an attacker needs to know the machine name of the container. The machine name is a random string, making an attack more difficult.Solution: Install the latest version:
- If you use the Google Tag module 8.x, upgrade to Google Tag 8.x-1.8
- If you use the Google Tag module 2.0.x, upgrade to Google Tag 2.0.8
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team