"Ricochet has proven to be a partner that we can depend on to create and maintain a successful drupal-based CMS system. Their deep experience in drupal has allowed them to identify existing plugins and to quickly implement custom logic when required to efficiently implement our international content management workflow and site. Ricochet has shown their commitment to our success again and again, working collaboratively across our team to make it happen, and putting in the extra effort when needed to meet our business goals."
—David Saffren, Blurb.com

Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011

Wed, 2025-01-29 09:13 — Anonymous (not verified)

Project: Google TagDate: 2025-January-29Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <1.8.0 || >=2.0.0 <2.0.8Description: This module enables you to integrate the site with the Google Tag Manager (GTM) application.
The module doesn't have the "restrict access" flag on the "administer google_tag_container" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicious JS, resulting in a cross site scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the aforementioned permission.Solution: Install the latest version:

If you use the Google Tag module 8.x, upgrade to Google Tag 8.x-1.8
If you use the Google Tag module 2.0.x, upgrade to Google Tag 2.0.8

Reported By:

Pierre Rudloff

Fixed By:

Coordinated By:

Greg Knaddison of the Drupal Security Team
Juraj Nemec of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-011

Search form

Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011