[IT-SecNots] [Security-news] Google Tag - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-012

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-012

Project: Google Tag [1]
Date: 2025-January-29
Security risk: *Moderately critical* 12 ∕ 25
AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Request Forgery

Affected versions: <1.8.0 || >=2.0.0 <2.0.8
Description: 
This module enables you to integrate the site with the Google Tag Manager
(GTM) application.

The module doesn't sufficiently validate the enabling or disabling of a tag
container. The routes involved are not protected against Cross Site Request
Forgery (CSRF).

This vulnerability is mitigated by the fact that an attacker needs to know
the machine name of the container. The machine name is a random string,
making an attack more difficult.

Solution: 
Install the latest version:

  * If you use the Google Tag module 8.x, upgrade to Google Tag 8.x-1.8 [3]
  * If you use the Google Tag module 2.0.x, upgrade to Google Tag 2.0.8 [4]

Reported By: 
  * Pierre Rudloff [5]
  * Florent Torregrosa [6]

Fixed By: 
  * Jim Berry [7]
  * Jakob P [8]

Coordinated By: 
  * Greg Knaddison [9] of the Drupal Security Team
  * Juraj Nemec [10] of the Drupal Security Team


[1] https://www.drupal.org/project/google_tag
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/google_tag/releases/8.x-1.8
[4] https://www.drupal.org/project/google_tag/releases/2.0.8
[5] https://www.drupal.org/user/3611858
[6] https://www.drupal.org/user/2388214
[7] https://www.drupal.org/user/240748
[8] https://www.drupal.org/user/45640
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/272316

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news