[IT-SecNots] [Security-news] Feedback Collect - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-090

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2017-090

Project: Feedback Collect [1]
Version: 7.x-1.5
Date: 2017-December-06
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting (XSS)

Description: 
This module enables you to add feedback forms and gather end user feedback,
bug reports or any kind of suggestions. 

The module doesn't sufficiently filter output of its own fields under the
scenario of creating or editing feedback-collect content types.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "create feedback-collect content" or its related editing
permissions.

Solution: 
Install the latest version:

  * If you use the feedback collect module for Drupal 7.x, upgrade to
    feedback collect 7.x-1.6 [3]

Also see the Feedback Collect [4] project page.

Reported By: 
  * Tatar Balazs Janos [5]

Fixed By: 
  * Tatar Balazs Janos [6]
  * Jelena Krmar [7] the module maintainer

Coordinated By: 
  * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/feedback_collect
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/feedback_collect/releases/7.x-1.6
[4] https://www.drupal.org/project/feedback_collect
[5] https://www.drupal.org/u/tatarbj
[6] https://www.drupal.org/u/tatarbj
[7] https://www.drupal.org/user/3097287
[8] https://www.drupal.org/u/greggles

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news