Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2024-October-30
Vulnerability:
Cross Site Scripting
Affected versions:
<1.0.18
CVE IDs:
CVE-2024-13289
Description:
This module makes it possible for you to integrate Cookiebot and Google Tag Manager in a fast and simple way.
The module doesn't sufficiently filter for malicious script leading to a persistent cross site scripting (XSS) vulnerability.
Solution:
Install the latest version and review settings:
- If you use the Cookiebot + GTM module for Drupal, upgrade to Cookiebot + GTM 1.0.18
- Additionally, the new codebase adds validation and permission changes so admins should re-save the configuration form at
/admin/config/cookiebot_gtmand confirm which roles have permission to configure the module at/admin/people/permissions.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- Cathy Theys of the Drupal Security Team
