Sujan Shrestha

**Name of the Vulnerable Software and Affected Versions** Drupal Google Analytics GA4 versions prior to 1.1.14 **Description** The Google Analytics GA4 module does not properly sanitize custom attributes added to the script tag used to load the Google Analytics library, leading to a Cross-Site Scripting (XSS) issue. An attacker with the "ga4 configure" or "administer google analytics ga4 settings" permission could inject malicious JavaScript through event handlers, such as `onload`, or override the script source. This could result in a Cross-Site Scripting (XSS) attack on all pages where the GA4 script is loaded. **Recommendations** Update to version 1.1.14 or later.