Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The Webform Multifile File Upload module contains a Remote Code Execution (RCE) vulnerability exists where form inputs will be unserialized and a specially crafted form input may trigger arbitrary code execution depending on the libraries available on a site.
With the help of the D6LTS vendors, a new version was released:
https://www.drupal.org/project/webform_multifile/releases/6.x-1.4
The patch to fix is also attached.
Comment | File | Size | Author |
---|---|---|---|
SA-CONTRIB-2016-038.patch | 10.74 KB | dsnopek |
Comments
Comment #2
dsnopekCommitted!