CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
EPSS
Percentile
99.7%
Webform enables you to create surveys, personalized contact forms, contests, and the like.
The module doesn’t sufficiently escape user data presented to administrative users in the webform results table. This issue affects the 7.x-4.x branch only.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform and the administrative user must subsequently visit the webform’s results table tab.
To mitigate this vulnerability, you can disable the view-based results table and restore the legacy hard-coded results table by adding this line to your settings.php file:
$conf['webform_table'] = TRUE;
The module doesn’t sufficiently escape node titles of webforms which administrators may make available as blocks and displayed to any user. This issue affects all 6.x and 7.x branches of the module.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to administer blocks and create or edit webform nodes.
Drupal core is not affected. If you do not use the contributed Webform module,
there is nothing you need to do.
Install the latest version:
Also see the Webform project page.
drupal.org/node/2445291
drupal.org/node/2445295
drupal.org/node/2445297
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/webform
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/36762
www.drupal.org/user/504278
www.drupal.org/writing-secure-code