Drupal Security TeamDRUPAL-SA-CONTRIB-2012-167SA-CONTRIB-2012-167 - Mixpanel - Cross site scripting (XSS)
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:N/I:P/A:N
EPSS
Percentile
99.7%
This module provides integration with the Mixpanel real-time analytics service.
The module doesn’t sufficiently escape the Mixpanel token when adding the tracking Javascript to the page.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access administration pages”.
CVE: CVE-2012-5585
Versions affected
- Mixpanel 6.x-1.x versions prior to 6.x-1.1.
Drupal core is not affected. If you do not use the contributed Mixpanel module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Mixpanel module for Drupal 6.x, upgrade to Mixpanel 6.x-1.1
Also see the Mixpanel project page.
Reported by
Fixed by
- wundo the module maintainer
- David Snopek
Coordinated by
- Greg Knaddison of the Drupal Security Team
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:N/I:P/A:N
EPSS
Percentile
99.7%