it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Umami Analytics - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-109
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Umami Analytics - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-109
- Date: Wed, 24 Sep 2025 17:27:34 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=JXfaVlDn; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 588CF8120D
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org C626260E59
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-109
Project: Umami Analytics [1]
Date: 2025-September-24
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Affected versions: <1.0.1
CVE IDs: CVE-2025-10931
Description:
This module enables you to add Umami Analytics web statistics tracking system
to your website.
The "administer umami analytics" permission allows inserting an arbitrary
JavaScript file on every page. While this is an expected feature, the
permission lacks the "restrict access" flag, which should alert
administrators that this permission is potentially dangerous and can lead to
cross-site scripting (XSS) vulnerabilities.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission “administer umami analytics”.
Solution:
Install the latest version:
* If you use the Umami Analytics module upgrade to Umami Analytics 1.0.1 [3]
or 2.0.-beta3 [4]
Sites are encouraged to review which roles have that permission and which
users have that role, to ensure that only trusted users have that permission.
Reported By:
* Pierre Rudloff (prudloff) [5]
Fixed By:
* Ivica Puljic (pivica) [6]
Coordinated By:
* Damien McKenna (damienmckenna) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
* Pierre Rudloff (prudloff) [9] provisional member of Drupal Security Team
------------------------------------------------------------------------------
Contribution record [10]
[1] https://www.drupal.org/project/umami_analytics
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/umami_analytics/releases/1.0.1
[4] https://www.drupal.org/project/umami_analytics/releases/2.0.0-beta3
[5] https://www.drupal.org/u/prudloff
[6] https://www.drupal.org/u/pivica
[7] https://www.drupal.org/u/damienmckenna
[8] https://www.drupal.org/u/poker10
[9] https://www.drupal.org/u/prudloff
[10] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3548503
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Umami Analytics - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-109, security-news, 24.09.2025
Archiv bereitgestellt durch MHonArc 2.6.19+.