[Security-news] Google Tag - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-012
security-news at drupal.org
security-news at drupal.org
Wed Jan 29 17:49:33 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-012
Project: Google Tag [1]
Date: 2025-January-29
Security risk: *Moderately critical* 12 ∕ 25
AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Request Forgery
Affected versions: <1.8.0 || >=2.0.0 <2.0.8
Description:
This module enables you to integrate the site with the Google Tag Manager
(GTM) application.
The module doesn't sufficiently validate the enabling or disabling of a tag
container. The routes involved are not protected against Cross Site Request
Forgery (CSRF).
This vulnerability is mitigated by the fact that an attacker needs to know
the machine name of the container. The machine name is a random string,
making an attack more difficult.
Solution:
Install the latest version:
* If you use the Google Tag module 8.x, upgrade to Google Tag 8.x-1.8 [3]
* If you use the Google Tag module 2.0.x, upgrade to Google Tag 2.0.8 [4]
Reported By:
* Pierre Rudloff [5]
* Florent Torregrosa [6]
Fixed By:
* Jim Berry [7]
* Jakob P [8]
Coordinated By:
* Greg Knaddison [9] of the Drupal Security Team
* Juraj Nemec [10] of the Drupal Security Team
[1] https://www.drupal.org/project/google_tag
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/google_tag/releases/8.x-1.8
[4] https://www.drupal.org/project/google_tag/releases/2.0.8
[5] https://www.drupal.org/user/3611858
[6] https://www.drupal.org/user/2388214
[7] https://www.drupal.org/user/240748
[8] https://www.drupal.org/user/45640
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/272316
More information about the Security-news
mailing list