Try our conversational search powered by Generative AI!

Bien Nguyen
Sep 20, 2023
  1956
(5 votes)

Vulnerability in EPiServer.GoogleAnalytics v3 and v4

Introduction

A potential security vulnerability was detected for Optimizely Google Analytics addon (including EPiServer.GoogleAnalytics and EPiServer.GoogleAnalytics.Commerce), with list of affected versions below. Optimizely websites based on CMS 12 and/or Customized Commerce 14 using the affected packages are affected by this vulnerability that might give an attacker access sensitive data in the application.

Risk

Overall, the risk of the vulnerability is high. The issue was fixed in EPiServer.GoogleAnalytics v4.2.0 (GA-471). Mitigation is in place for all DXP service customers.

Update (September 20): we've re-evaluated the situation and decided to inform that, the risk of this vulnerability is critical!

Affected versions

The versions below of EPiServer.GoogleAnalytics and EPiServer.GoogleAnalytics.Commerce are affected by this vulnerability:

  • 3.0.0 (.netcore version to support CMS12)
  • 3.0.1
  • 4.0.0 (added support for GA4 which replaced the GA UA used in previous versions of EPiServer.GoogleAnalytics) 
  • 4.0.1
  • 4.1.0

Remediation

  • If using affted version of EPiServer.GoogleAnalytics in the list above, please update the to the version 4.2.0 or later.
  • Updated (September 22): The fix has been also backported to a v3 version (the version 3.0.2). If you are using an affected v3 version in the list above, and don't want to upgrade to the v4.2.0 version (or later)  then you can either update the version to 3.0.2 or simply uninstall the addon completely.

Please reach out to our support for further guidance by email to support@optimizely.com or submit a request at https://support.optimizely.com/hc/en-us.

Questions

Please contact the security engineering team at securityeng@optimizely.com.

Risk definitions

Low – little to no potential impact on Optimizely or customer environments/data. Vulnerability has low exploitability, for example: requirement for local or physical system access, zero reachability to/executability within Optimizely products/code.

Medium – some potential impact on Optimizely or customer environments/data. Vulnerability has medium exploitability, for example: requirement to be located on the same local network as the target, requirement for an individual to be manipulated via social engineering, requirement for user privileges, vulnerability achieves limited access to Optimizely products/code.

High – high potential impact on Optimizely or customer environments/data.  Vulnerability has high exploitability, for example:  achieves high level access to Optimizely products/code, could elevate privileges, could result in a significant data loss or downtime.

Critical – very significant potential impact on Optimizely or customer environments/data.  Vulnerability has very high exploitability, for example: achieves admin/root-level access to Optimizely products/code.  Vulnerability does not require any special authentication credentials/knowledge of Optimizely products/environments.

Sep 20, 2023

Comments

Please login to comment.
Latest blogs
Optimizely and the never-ending story of the missing globe!

I've worked with Optimizely CMS for 14 years, and there are two things I'm obsessed with: Link validation and the globe that keeps disappearing on...

Tomas Hensrud Gulla | Apr 18, 2024 | Syndicated blog

Visitor Groups Usage Report For Optimizely CMS 12

This add-on offers detailed information on how visitor groups are used and how effective they are within Optimizely CMS. Editors can monitor and...

Adnan Zameer | Apr 18, 2024 | Syndicated blog

Azure AI Language – Abstractive Summarisation in Optimizely CMS

In this article, I show how the abstraction summarisation feature provided by the Azure AI Language platform, can be used within Optimizely CMS to...

Anil Patel | Apr 18, 2024 | Syndicated blog

Fix your Search & Navigation (Find) indexing job, please

Once upon a time, a colleague asked me to look into a customer database with weird spikes in database log usage. (You might start to wonder why I a...

Quan Mai | Apr 17, 2024 | Syndicated blog