Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094
  • Date: Wed, 30 Jul 2025 16:31:24 +0000 (UTC)
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=WA4bxOl8; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 67FB540ABD
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org EF4BC60F3D
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2025-094

Project: GoogleTag Manager [1]
Date: 2025-July-30
Security risk: *Moderately critical* 11 ∕ 25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site scripting

Affected versions: <1.10.0
CVE IDs: CVE-2025-8362
Description: 
This module enables you to integrate Google Tag Manager (GTM) into your
Drupal site by allowing administrators to configure and embed GTM container
snippets.

The module doesn't sufficiently sanitize the GTM container ID under the
scenario where a user with the /Administer gtm/ permission enters malicious
input into the /GTM-ID/ field. This value is directly inserted into a
tag, making the site vulnerable to Cross-site Scripting (XSS)
attacks.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission /Administer gtm/, and the input field is limited to 20
characters.

Solution: 
Install the latest version:

If you use the Google Tag Manager module for Drupal 8.x, upgrade to Google
Tag Manager 8.x-1.10 [3].

The new version includes validation to prevent injection and restricts risky
inputs.

Additionally, site administrators should review which roles have the
/Administer gtm/ permission at /admin/people/permissions.

Reported By: 
* Pierre Rudloff (prudloff) [4], provisional member of the Drupal Security
Team

Fixed By: 
* Anatoly Politsin (apolitsin) [5]
* Pierre Rudloff (prudloff) [6], provisional member of the Drupal Security
Team

Coordinated By: 
* Ivo Van Geertruyen (mr.baileys) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
* Jess (xjm) [9] of the Drupal Security Team


[1] https://www.drupal.org/project/gtm
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/gtm/releases/8.x-1.10
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/apolitsin
[6] https://www.drupal.org/u/prudloff
[7] https://www.drupal.org/u/mrbaileys
[8] https://www.drupal.org/u/poker10
[9] https://www.drupal.org/u/xjm

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094, security-news, 30.07.2025

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang