Cross-Site Scripting Vulnerability in Google Tag by Drupal
CVE-2025-31682

4.8MEDIUM

Key Information:

Vendor: Drupal
Status: Google Tag
Vendor: CVE Published:; 31 March 2025

Summary

A vulnerability exists in the Google Tag component of Drupal, where improper neutralization of input during web page generation leads to potential Cross-Site Scripting (XSS) attacks. This issue affects specific versions of Google Tag, allowing attackers to inject malicious scripts into web pages viewed by users, which could result in unauthorized actions or data exposure. It is crucial for users to update to the non-vulnerable versions to safeguard their web applications.

Affected Version(s)

Google Tag 0.0.0 < 1.8.0

Google Tag 2.0.0 < 2.0.8

References

https://www.drupal.org/sa-contrib-2025-011

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 31, 2025
Vulnerability Reserved
Mar 31, 2025

Credit

Pierre Rudloff

Jakob P

Jim Berry

Greg Knaddison

Juraj Nemec