Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011

Project:

Google Tag

Date:

2025-January-29

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross Site Scripting

Affected versions:

<1.8.0 || >=2.0.0 <2.0.8

CVE IDs:

CVE-2025-31682

Description:

This module enables you to integrate the site with the Google Tag Manager (GTM) application.

The module doesn't have the "restrict access" flag on the "administer google_tag_container" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicious JS, resulting in a cross site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the aforementioned permission.

Solution:

Install the latest version:

If you use the Google Tag module 8.x, upgrade to Google Tag 8.x-1.8
If you use the Google Tag module 2.0.x, upgrade to Google Tag 2.0.8

Reported By:

Pierre Rudloff

Fixed By:

Coordinated By:

Greg Knaddison of the Drupal Security Team
Juraj Nemec of the Drupal Security Team

Contribution record

Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community