View online: https://www.drupal.org/sa-contrib-2017-092
Project: Node feedback [1] Version: 7.x-1.2 Date: 2017-December-06 Security risk: *Moderately critical* 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access Bypass
Description: This module enables you to set nodes to send feedbacks by personal/site wide contact forms. The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Use the site-wide contact form" or "Use users' personal contact forms" which is often assigned to untrusted user roles such as anonymous.
Solution: Install the latest version:
* If you use the node feedback module for Drupal 7, upgrade to node feedback 7.x-1.3 [3]
Also see the Node feedback [4] project page.
Reported By: * Tatar Balazs Janos [5]
Fixed By: * Tatar Balazs Janos [6] * Bhavin H. Joshi [7] the module maintainer
Coordinated By: * Greg Knaddison [8] of the Drupal Security Team * Lee Rowlands [9] of the Drupal Security Team
[1] https://www.drupal.org/project/node_feedback [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/node_feedback/releases/7.x-1.3 [4] https://www.drupal.org/project/node_feedback [5] https://www.drupal.org/u/tatarbj [6] https://www.drupal.org/u/tatarbj [7] https://www.drupal.org/user/219482 [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/larowlan