View online: https://www.drupal.org/sa-contrib-2017-78

Project: Yandex.Metrics [1] Version: 7.x-3.x-dev7.x-2.x-dev7.x-1.x-dev Date: 2017-October-18 Security risk: *Moderately critical* 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting

Description:  The Yandex.Metrics module allows you to look for key indicators of your site effectiveness.

The module doesn't sufficiently let users know a setting page should not be given to untrusted users.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer Yandex.Metrics settings."

Solution:  Install the latest version:

* If you use the Yandex.Metrics module for Drupal 7.x, upgrade to its 7.x-3.1 [3]

Also see the Yandex.Metrics [4] project page.

Reported By:  * Tatar Balazs Janos [5]

Fixed By:  * Tatar Balazs Janos [6] * Konstantin Komelin [7] the module maintainer

Coordinated By:  * Michael Hess [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team

[1] https://www.drupal.org/project/yandex_metrics [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/yandex_metrics/releases/7.x-3.1 [4] https://www.drupal.org/project/yandex_metrics [5] https://www.drupal.org/u/tatarbj [6] https://www.drupal.org/u/tatarbj [7] https://www.drupal.org/user/1195752 [8] https://www.drupal.org/u/mlhess [9] https://www.drupal.org/u/greggles