Help shape the future of CMS PaaS release notes! Take this quick survey and share your feedback. 

Bien Nguyen
Sep 20, 2023
  2559
(5 votes)

Vulnerability in EPiServer.GoogleAnalytics v3 and v4

Introduction

A potential security vulnerability was detected for Optimizely Google Analytics addon (including EPiServer.GoogleAnalytics and EPiServer.GoogleAnalytics.Commerce), with list of affected versions below. Optimizely websites based on CMS 12 and/or Customized Commerce 14 using the affected packages are affected by this vulnerability that might give an attacker access sensitive data in the application.

Risk

Overall, the risk of the vulnerability is high. The issue was fixed in EPiServer.GoogleAnalytics v4.2.0 (GA-471). Mitigation is in place for all DXP service customers.

Update (September 20): we've re-evaluated the situation and decided to inform that, the risk of this vulnerability is critical!

Affected versions

The versions below of EPiServer.GoogleAnalytics and EPiServer.GoogleAnalytics.Commerce are affected by this vulnerability:

  • 3.0.0 (.netcore version to support CMS12)
  • 3.0.1
  • 4.0.0 (added support for GA4 which replaced the GA UA used in previous versions of EPiServer.GoogleAnalytics) 
  • 4.0.1
  • 4.1.0

Remediation

  • If using affted version of EPiServer.GoogleAnalytics in the list above, please update the to the version 4.2.0 or later.
  • Updated (September 22): The fix has been also backported to a v3 version (the version 3.0.2). If you are using an affected v3 version in the list above, and don't want to upgrade to the v4.2.0 version (or later)  then you can either update the version to 3.0.2 or simply uninstall the addon completely.

Please reach out to our support for further guidance by email to support@optimizely.com or submit a request at https://support.optimizely.com/hc/en-us.

Questions

Please contact the security engineering team at securityeng@optimizely.com.

Risk definitions

Low – little to no potential impact on Optimizely or customer environments/data. Vulnerability has low exploitability, for example: requirement for local or physical system access, zero reachability to/executability within Optimizely products/code.

Medium – some potential impact on Optimizely or customer environments/data. Vulnerability has medium exploitability, for example: requirement to be located on the same local network as the target, requirement for an individual to be manipulated via social engineering, requirement for user privileges, vulnerability achieves limited access to Optimizely products/code.

High – high potential impact on Optimizely or customer environments/data.  Vulnerability has high exploitability, for example:  achieves high level access to Optimizely products/code, could elevate privileges, could result in a significant data loss or downtime.

Critical – very significant potential impact on Optimizely or customer environments/data.  Vulnerability has very high exploitability, for example: achieves admin/root-level access to Optimizely products/code.  Vulnerability does not require any special authentication credentials/knowledge of Optimizely products/environments.

Sep 20, 2023

Comments

Please login to comment.
Latest blogs
How to: set access right to folders

Today I stumped upon this question Solution for Handling File Upload Permissions in Episerver CMS 12, and there is a simple solution for that Using...

Quan Mai | Feb 7, 2025 | Syndicated blog

Poking around in the new Visual Builder and the SaaS CMS

Early findings from using a SaaS CMS instance and the new Visual Builder grids.

Johan Kronberg | Feb 7, 2025 | Syndicated blog

Be careful with your (order) notes

This happened a quite ago but only now I have had time to write about it. Once upon a time, I was asked to look into a customer database (in a big...

Quan Mai | Feb 5, 2025 | Syndicated blog

Imagevault download picker

This open source extension enables you to download images as ImageData with ContentReference from the ImageVault picker. It serves as an alternativ...

Luc Gosso (MVP) | Feb 4, 2025 | Syndicated blog

Optimizely SaaS vs PaaS: A Comparison from Client and Developer Perspectives

Optimizely, one of the leading digital experience platform. Offering both Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) solutions....

Praful Jangid | Feb 3, 2025

Returning to Optimizely After Many Years

Returning to Optimizely After Many Years: A Journey Through Its New Features After several years away from Optimizely’s Content Management … More

Jose Neto | Feb 2, 2025 | Syndicated blog