Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2017-December-06
Vulnerability:
Access Bypass
Description:
This module enables you to set nodes to send feedbacks by personal/site wide contact forms.
The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Use the site-wide contact form" or "Use users' personal contact forms" which is often assigned to untrusted user roles such as anonymous.
Solution:
Install the latest version:
- If you use the node feedback module for Drupal 7, upgrade to node feedback 7.x-1.3
Also see the Node feedback project page.
Reported By:
Fixed By:
- Tatar Balazs Janos
- Bhavin H. Joshi the module maintainer
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
