Advanced Content Feedback Aka Admin Feedback
Monthly
Incorrect authorization in the Drupal Advanced Content Feedback (admin_feedback) contributed module allows authenticated low-privilege users to perform forceful browsing, accessing restricted feedback resources without proper authorization checks. All module releases from 0.0.0 up to (but not including) 2.8.0 are affected. No public exploit code exists and no active exploitation has been identified; EPSS sits at the 4th percentile, consistent with the SSVC assessment of zero current exploitation.
Stored XSS in the Drupal contributed module Advanced Content Feedback (admin_feedback) affects all releases from 0.0.0 up to 2.8.0, enabling a remote unauthenticated attacker to inject persistent malicious scripts that execute in the browsers of users who subsequently view affected pages. The scope change (S:C) in the CVSS vector indicates the injected payload escapes the application's security context and operates in the victim's browser, potentially enabling session hijacking or unauthorized actions on behalf of privileged users. No public exploit code has been identified and CISA has not added this to KEV; EPSS at 0.16% (6th percentile) and SSVC's 'exploitation: none' classification confirm this is a low-urgency finding with no evidence of active targeting.
Incorrect authorization in the Drupal Advanced Content Feedback (admin_feedback) contributed module allows authenticated low-privilege users to perform forceful browsing, accessing restricted feedback resources without proper authorization checks. All module releases from 0.0.0 up to (but not including) 2.8.0 are affected. No public exploit code exists and no active exploitation has been identified; EPSS sits at the 4th percentile, consistent with the SSVC assessment of zero current exploitation.
Stored XSS in the Drupal contributed module Advanced Content Feedback (admin_feedback) affects all releases from 0.0.0 up to 2.8.0, enabling a remote unauthenticated attacker to inject persistent malicious scripts that execute in the browsers of users who subsequently view affected pages. The scope change (S:C) in the CVSS vector indicates the injected payload escapes the application's security context and operates in the victim's browser, potentially enabling session hijacking or unauthorized actions on behalf of privileged users. No public exploit code has been identified and CISA has not added this to KEV; EPSS at 0.16% (6th percentile) and SSVC's 'exploitation: none' classification confirm this is a low-urgency finding with no evidence of active targeting.