Lucene search

K
drupalDrupal Security TeamDRUPAL-SA-CONTRIB-2010-024
HistoryMar 03, 2010 - 12:00 a.m.

SA-CONTRIB-2010-024 - eTracker - Cross Site Scripting

2010-03-0300:00:00
Drupal Security Team
www.drupal.org
7

EPSS

0.967

Percentile

99.7%

The eTracker module provides integration of a Drupal site with the eTracker web traffic analysis service and takes the current URL as a parameter to track what pages have been visited. The URL from the browser is forwarded to JavaScript in the current page, and because the URL wasn’t sanitised, it could have allowed cross-site scripting attacks by appending malicious code to the URL.

Versions affected

  • eTracker prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed eTracker module, there is nothing you need to do.

Solution

Install the latest version:

See also the eTracker project page.

Reported by

  • Andreas Harder

Fixed by

  • JΓΌrgen Haas (jurgenhaas), the module maintainer.

EPSS

0.967

Percentile

99.7%