etracker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-074

Project:

etracker

Date:

2025-May-28

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability:

Cross Site Scripting

Affected versions:

<3.1.0

CVE IDs:

CVE-2025-48920

Description:

The module adds the etracker web statistics tracking system to your website.

The cookies_etracker submodule allows the inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.

A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).

Solution:

Install the latest version:

If you use the etracker module for Drupal 9 and above, upgrade to etracker 8.x-3.1

Reported By:

Pierre Rudloff (prudloff) Provisional Member of the Drupal Security Team

Fixed By:

Coordinated By:

Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff) Provisional Member of the Drupal Security Team
Cathy Theys (yesct) of the Drupal Security Team

Contribution record

etracker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-074

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community