DRUPAL-CONTRIB-2025-012

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/google_tag/DRUPAL-CONTRIB-2025-012.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-012

Aliases

Published

2025-01-29T17:16:19Z

Modified

2025-12-10T23:41:02.459218Z

Summary

[none]

Details

This module enables you to integrate the site with the Google Tag Manager (GTM) application.

The module doesn't sufficiently validate the enabling or disabling of a tag container. The routes involved are not protected against Cross Site Request Forgery (CSRF).

This vulnerability is mitigated by the fact that an attacker needs to know the machine name of the container. The machine name is a random string, making an attack more difficult.

References

https://www.drupal.org/sa-contrib-2025-012

Credits

- Florent Torregrosa
- - https://www.drupal.org/user/2388214
- Pierre Rudloff
- - https://www.drupal.org/user/3611858

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/google_tag

Package

Name: drupal/google_tag
Purl: pkg:composer/drupal/google_tag

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.8.0

Database specific

{
    "constraint": "<1.8.0"
}

Type

ECOSYSTEM

Events

Introduced

2.0.0

Fixed

2.0.8

Database specific

{
    "constraint": ">=2.0.0 <2.0.8"
}

Database specific

affected_versions

"<1.8.0 || >=2.0.0 <2.0.8"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/google_tag/DRUPAL-CONTRIB-2025-012.json"