[IT-SecNots] [Security-news] Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2017-092

Project: Node feedback [1]
Version: 7.x-1.2
Date: 2017-December-06
Security risk: *Moderately critical* 12∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access Bypass

Description: 
This module enables you to set nodes to send feedbacks by personal/site wide
contact forms.
The module doesn't sufficiently handle the access to nodes whose titles will
be shown on contact forms.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Use the site-wide contact form" or "Use users' personal
contact forms" which is often assigned to untrusted user roles such as
anonymous.

Solution: 
Install the latest version:

  * If you use the node feedback module for Drupal 7, upgrade to node 
feedback
    7.x-1.3 [3]

Also see the Node feedback [4] project page.

Reported By: 
  * Tatar Balazs Janos [5]

Fixed By: 
  * Tatar Balazs Janos [6]
  * Bhavin H. Joshi [7] the module maintainer

Coordinated By: 
  * Greg Knaddison [8] of the Drupal Security Team
  * Lee Rowlands [9] of the Drupal Security Team


[1] https://www.drupal.org/project/node_feedback
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/node_feedback/releases/7.x-1.3
[4] https://www.drupal.org/project/node_feedback
[5] https://www.drupal.org/u/tatarbj
[6] https://www.drupal.org/u/tatarbj
[7] https://www.drupal.org/user/219482
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/larowlan

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news