View online: https://www.drupal.org/sa-contrib-2017-78 Project: Yandex.Metrics [1] Version: 7.x-3.x-dev7.x-2.x-dev7.x-1.x-dev Date: 2017-October-18 Security risk: *Moderately critical* 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting Description: The Yandex.Metrics module allows you to look for key indicators of your site effectiveness. The module doesn't sufficiently let users know a setting page should not be given to untrusted users. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer Yandex.Metrics settings." Solution: Install the latest version: * If you use the Yandex.Metrics module for Drupal 7.x, upgrade to its 7.x-3.1 [3] Also see the Yandex.Metrics [4] project page. Reported By: * Tatar Balazs Janos [5] Fixed By: * Tatar Balazs Janos [6] * Konstantin Komelin [7] the module maintainer Coordinated By: * Michael Hess [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team [1] https://www.drupal.org/project/yandex_metrics [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/yandex_metrics/releases/7.x-3.1 [4] https://www.drupal.org/project/yandex_metrics [5] https://www.drupal.org/u/tatarbj [6] https://www.drupal.org/u/tatarbj [7] https://www.drupal.org/user/1195752 [8] https://www.drupal.org/u/mlhess [9] https://www.drupal.org/u/greggles