Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Advanced Content Feedback (aka admin_feedback) - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-051

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Advanced Content Feedback (aka admin_feedback) - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-051


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Advanced Content Feedback (aka admin_feedback) - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-051
  • Date: Wed, 24 Jun 2026 18:32:16 +0000
  • Archived-at: <>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=FHZAS7yK; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b="I16l+/JS"; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=CIDJ+tyB; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org E6871410DF
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org A5F4640933
  • Dmarc-filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org A5F4640933
  • Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
  • List-archive: <>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2026-051

Project: Advanced Content Feedback (aka admin_feedback) [1]
Date: 2026-June-24
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross-site scripting

Affected versions: <2.8.0
CVE IDs: CVE-2026-13231
Description: 
This module enables you to collect feedback from your site visitors on
content pages, presenting Yes/No buttons and providing dashboards for
administrators to review the responses.

The module doesn't sufficiently sanitize several administrator-configured
response messages (the "Yes response", "No response", and the custom text
shown on a "No" answer) under the scenario where those settings contain HTML
or script markup, which is then emitted as raw HTML in the feedback response
shown to visitors.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer admin feedback".

Solution: 
Install the latest release:

* If you use the admin_feedback module for Drupal 8.x, upgrade to
admin_feedback 8.x-2.8 [3]

The configured plain-text responses are now escaped with `Html::escape()`,
and the formatted "No" response is rendered through its configured text
format filter (`check_markup()`) instead of being printed raw.

Reported By: 
* Bill Seremetis (bserem) [4]

Fixed By: 
* Bill Seremetis (bserem) [5]

Coordinated By: 
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team

Security
issue: 
https://git.drupalcode.org/security/185233-admin_feedback-security/-/work_items/…
[8]
------------------------------------------------------------------------------
Contribution record [9]

[1] https://www.drupal.org/project/admin_feedback
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/admin_feedback/releases/8.x-2.8
[4] https://www.drupal.org/u/bserem
[5] https://www.drupal.org/u/bserem
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
[8] https://git.drupalcode.org/security/185233-admin_feedback-security/-/work_items/1
[9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3600920

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at

  • [IT-SecNots] [Security-news] Advanced Content Feedback (aka admin_feedback) - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-051, security-news, 24.06.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang