Primary

Context

Drupal Google Analytics GA4 Cross-Site Scripting Vulnerability

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Drupal Google Analytics GA4 module, affecting versions prior to 1.1.14. The issue arises because the module allows users to add custom attributes to the script tag for loading the Google Analytics library, but it does not properly sanitize these attributes. This vulnerability can be exploited by an attacker with the 'ga4 configure' permission, who could inject malicious JavaScript into event handlers or alter the script source, leading to XSS on pages where the GA4 script is used.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Remediation

Users of the Google Analytics GA4 module should upgrade to version 1.1.14.

Added: Mar 26, 2026, 9:54 PM

Updated: Mar 26, 2026, 9:54 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

4.5

remediation

0.0

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

4.5

remediation

0.0

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Drupal Google Analytics GA4 Cross-Site Scripting Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating