This module has a API key sent as cleartext vulnerability.

You can see this vulnerability by looking at:
* chartbeat_dashboard_page()
* chartbeat_publishing_dashboard_page()
* chartbeat_form_node_admin_content_alter()
* _chartbeat_dashboard_view()

All of them have URL calls to chartbeat.com including the API key in the request and none of them is sent over HTTPS, making it vulnerable to sniffing.

Also, did not found the development 7.x-2.x branch to file the bug against. Development and bug reporting/testing/fixing must be done against a 7.x-2.x branch and 7.x-2.0 should be just a tag.

Comments

rickmanelius’s picture

FYI. This was discussed in the security issue queue and deemed acceptable to handle in the public issue queues. That said, I'd recommend getting the correction in place sooner than later.