Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2017-October-18
Vulnerability:
Cross site scripting
Description:
The Yandex.Metrics module allows you to look for key indicators of your site effectiveness.
The module doesn't sufficiently let users know a setting page should not be given to untrusted users.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer Yandex.Metrics settings."
Edited October 19, 2017 to add a note about checking permissions.
Solution:
Install the latest version:
- If you use the Yandex.Metrics module for Drupal 7.x, upgrade to Yandex.Metrics 7.x-3.1 and also examine your site's permission configuration to ensure that only highly-trusted administrators have the "Administer Yandex.Metrics Settings" permission.
Also see the Yandex.Metrics project page.
Reported By:
Fixed By:
- Tatar Balazs Janos
- Konstantin Komelin the module maintainer
Coordinated By:
- Michael Hess of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
