DRUPAL-CONTRIB-2025-074

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/etracker/DRUPAL-CONTRIB-2025-074.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-074

Aliases

CVE-2025-48920

Published

2025-05-28T17:44:33Z

Modified

2025-12-10T23:41:33.796012Z

Summary

[none]

Details

The module adds the etracker web statistics tracking system to your website.

The cookies_etracker submodule allows the inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users.

A potential attacker would at least need permission to create and publish HTML (e.g. content or comments).

References

https://www.drupal.org/sa-contrib-2025-074

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/etracker

Package

Name: drupal/etracker
Purl: pkg:composer/drupal/etracker

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.1.0

Database specific

{
    "constraint": "<3.1.0"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/etracker/DRUPAL-CONTRIB-2025-074.json"

affected_versions

"<3.1.0"