Project: Node feedbackVersion: 7.x-1.2Date: 2017-December-06Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access BypassDescription:
This module enables you to set nodes to send feedbacks by personal/site wide contact forms.
The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Use the site-wide contact form" or "Use users' personal contact forms" which is often assigned to untrusted user roles such as anonymous.
Install the latest version:
- If you use the node feedback module for Drupal 7, upgrade to node feedback 7.x-1.3
Also see the Node feedback project page.