Google Tag - Moderately critical - Cross Site Request Forgery

Project

google_tag

Date

March 05, 2025

Severity

Moderately Critical

Risk Score

13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability

Cross Site Request Forgery

Affected versions

< 7.x-2.3

Description

The module doesn't have the "restrict access" flag on the "administer google_tag_container" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicious JS, resulting in a cross site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the aforementioned permission.

Solution

Install the latest version.

If you use the Google Tag module, upgrade to Google Tag 7.x-2.4.

google_tag-7.x-2.4-9IYksnnrJLigvzXP.zip
google_tag-7.x-2.4-9IYksnnrJLigvzXP.tar.gz

Reported by

Pierre Rudloff

Fixed by

Jakob P
Jim Berry
Brandon Bergren

Coordinated by

Greg Knaddison of the Drupal Security Team
Juraj Nemec of the Drupal Security Team
Tag1 D7ES