Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-January-29
Vulnerability:
Cross Site Request Forgery
Affected versions:
<1.8.0 || >=2.0.0 <2.0.8
CVE IDs:
CVE-2025-31683
Description:
This module enables you to integrate the site with the Google Tag Manager (GTM) application.
The module doesn't sufficiently validate the enabling or disabling of a tag container. The routes involved are not protected against Cross Site Request Forgery (CSRF).
This vulnerability is mitigated by the fact that an attacker needs to know the machine name of the container. The machine name is a random string, making an attack more difficult.
Solution:
Install the latest version:
- If you use the Google Tag module 8.x, upgrade to Google Tag 8.x-1.8
- If you use the Google Tag module 2.0.x, upgrade to Google Tag 2.0.8
Reported By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
