DRUPAL-CONTRIB-2025-094

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/gtm/DRUPAL-CONTRIB-2025-094.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-094

Aliases

CVE-2025-8362

Published

2025-07-30T16:31:23Z

Modified

2025-12-10T23:41:29.265385Z

Summary

[none]

Details

This module enables you to integrate Google Tag Manager (GTM) into your Drupal site by allowing administrators to configure and embed GTM container snippets.

The module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the Administer gtm permission enters malicious input into the GTM-ID field. This value is directly inserted into a <script> tag, making the site vulnerable to Cross-site Scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission Administer gtm, and the input field is limited to 20 characters.

References

https://www.drupal.org/sa-contrib-2025-094

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/gtm

Package

Name: drupal/gtm
Purl: pkg:composer/drupal/gtm

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.10.0

Database specific

{
    "constraint": "<1.10.0"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/gtm/DRUPAL-CONTRIB-2025-094.json"

affected_versions

"<1.10.0"