The module doesn't sufficiently sanitize the Siteimprove Analytics identification code when inserting the JavaScript tracking code; this could be exploited to achieve Cross-Site Scripting (XSS).
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer siteimprove_analytics".
Install the latest version:
- If you use the siteimprove_analytics module for Drupal verision prior 10.3, upgrade to siteimprove_analytics 2.0.1
- Pierre Rudloff (prudloff) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Pierre Rudloff (prudloff) of the Drupal Security Team