The Yandex.Metrics module allows you to look for key indicators of your site effectiveness.
The module doesn't sufficiently let users know a setting page should not be given to untrusted users.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer Yandex.Metrics settings."
Edited October 19, 2017 to add a note about checking permissions.
Install the latest version:
- If you use the Yandex.Metrics module for Drupal 7.x, upgrade to Yandex.Metrics 7.x-3.1 and also examine your site's permission configuration to ensure that only highly-trusted administrators have the "Administer Yandex.Metrics Settings" permission.
Also see the Yandex.Metrics project page.
- Tatar Balazs Janos
- Konstantin Komelin the module maintainer
- Michael Hess of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team