Siteimprove Analytics
Monthly
Cross-site scripting in Drupal's Siteimprove Analytics contributed module (all versions before 2.0.1) allows an authenticated low-privileged attacker to inject malicious scripts that execute in a victim user's browser session. The CVSS scope change (S:C) indicates the attack crosses the application trust boundary, enabling potential session hijacking or privilege escalation against higher-privileged users such as administrators who view attacker-controlled content. No public exploit code exists and EPSS of 0.19% (8th percentile) confirms low real-world exploitation probability; no active exploitation has been identified at time of analysis.
Cross-site scripting in Drupal's Siteimprove Analytics contributed module (all versions before 2.0.1) allows an authenticated low-privileged attacker to inject malicious scripts that execute in a victim user's browser session. The CVSS scope change (S:C) indicates the attack crosses the application trust boundary, enabling potential session hijacking or privilege escalation against higher-privileged users such as administrators who view attacker-controlled content. No public exploit code exists and EPSS of 0.19% (8th percentile) confirms low real-world exploitation probability; no active exploitation has been identified at time of analysis.