This module enables you to collect feedback from your site visitors on content pages, allowing them to optionally attach a free-text comment to their Yes/No vote.
The module doesn't sufficiently verify authorization over the targeted feedback record when processing a comment submission.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "give feedback". Note: "give feedback" is granted to anonymous and authenticated by default on install.
Install the latest release:
- If you use the admin_feedback module for Drupal 8.x, upgrade to admin_feedback 8.x-2.8
The comment endpoint now requires an HMAC-signed token bound to the specific feedback row (issued only to the visitor who cast that vote), and a comment may be written only once, preventing both forgery of arbitrary ids and replay.
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team