Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
This module has a API key sent as cleartext vulnerability.
You can see this vulnerability by looking at:
* chartbeat_dashboard_page()
* chartbeat_publishing_dashboard_page()
* chartbeat_form_node_admin_content_alter()
* _chartbeat_dashboard_view()
All of them have URL calls to chartbeat.com including the API key in the request and none of them is sent over HTTPS, making it vulnerable to sniffing.
Also, did not found the development 7.x-2.x branch to file the bug against. Development and bug reporting/testing/fixing must be done against a 7.x-2.x branch and 7.x-2.0 should be just a tag.
Comments
Comment #1
rickmanelius CreditAttribution: rickmanelius commentedFYI. This was discussed in the security issue queue and deemed acceptable to handle in the public issue queues. That said, I'd recommend getting the correction in place sooner than later.