DRUPAL-CONTRIB-2025-011

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/google_tag/DRUPAL-CONTRIB-2025-011.json

JSON Data

https://api.test.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-011

Aliases

Published

2025-01-29T17:13:29Z

Modified

2025-12-09T03:15:03.365192Z

Summary

[none]

Details

This module enables you to integrate the site with the Google Tag Manager (GTM) application.

The module doesn't have the "restrict access" flag on the "administer google_tag_container" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicious JS, resulting in a cross site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the aforementioned permission.

References

https://www.drupal.org/sa-contrib-2025-011

Credits

- Pierre Rudloff
- - https://www.drupal.org/user/3611858

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/google_tag

Package

Name: drupal/google_tag
Purl: pkg:composer/drupal/google_tag

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.8.0

Database specific

{
    "constraint": "<1.8.0"
}

Type

ECOSYSTEM

Events

Introduced

2.0.0

Fixed

2.0.8

Database specific

{
    "constraint": ">=2.0.0 <2.0.8"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/google_tag/DRUPAL-CONTRIB-2025-011.json"

affected_versions

"<1.8.0 || >=2.0.0 <2.0.8"