[Security-news] Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092
security-news at drupal.org
security-news at drupal.org
Wed Dec 6 19:20:27 UTC 2017
View online: https://www.drupal.org/sa-contrib-2017-092
Project: Node feedback [1]
Version: 7.x-1.2
Date: 2017-December-06
Security risk: *Moderately critical* 12∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access Bypass
Description:
This module enables you to set nodes to send feedbacks by personal/site wide
contact forms.
The module doesn't sufficiently handle the access to nodes whose titles will
be shown on contact forms.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Use the site-wide contact form" or "Use users' personal
contact forms" which is often assigned to untrusted user roles such as
anonymous.
Solution:
Install the latest version:
* If you use the node feedback module for Drupal 7, upgrade to node
feedback
7.x-1.3 [3]
Also see the Node feedback [4] project page.
Reported By:
* Tatar Balazs Janos [5]
Fixed By:
* Tatar Balazs Janos [6]
* Bhavin H. Joshi [7] the module maintainer
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
* Lee Rowlands [9] of the Drupal Security Team
[1] https://www.drupal.org/project/node_feedback
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/node_feedback/releases/7.x-1.3
[4] https://www.drupal.org/project/node_feedback
[5] https://www.drupal.org/u/tatarbj
[6] https://www.drupal.org/u/tatarbj
[7] https://www.drupal.org/user/219482
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/larowlan
More information about the Security-news
mailing list