GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094
Project: GoogleTag ManagerDate: 2025-July-30Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: <1.10.0CVE IDs: CVE-2025-8362Description: This module enables you to integrate Google Tag Manager (GTM) into your Drupal site by allowing administrators to configure and embed GTM container snippets.
The module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the Administer gtm permission enters malicious input into the GTM-ID field. This value is directly inserted into a <script>
tag, making the site vulnerable to Cross-site Scripting (XSS) attacks.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission Administer gtm, and the input field is limited to 20 characters.Solution: Install the latest version:
If you use the Google Tag Manager module for Drupal 8.x, upgrade to Google Tag Manager 8.x-1.10.
The new version includes validation to prevent injection and restricts risky inputs.
Additionally, site administrators should review which roles have the Administer gtm permission at /admin/people/permissions
.Reported By:
- Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
Fixed By:
- Anatoly Politsin (apolitsin)
- Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
Coordinated By:
- Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team