• Advisory ID: DRUPAL-SA-CONTRIB-2011-014
  • Project: Webform Block (third-party module)
  • Version: 6.x
  • Date: 2011-March-23
  • Security risk: Moderately critical (definition of risk levels)
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting


The Webform Block module enables users to make a webform available as a block.

The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability that may lead to a malicious user gaining full administrative access.

The vulnerability is mitigated by the fact that a malicious user must be assigned a role that includes permission to create and/or edit webforms.

Versions affected

  • Webform Block module for Drupal 6.x versions prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Webform Block module, there is nothing you need to do.


Install the latest version:

See also the Webform Block project page.

Reported by

  • Dylan Wilder-Tack (grendzy) of the Drupal security team

Fixed by

  • Dylan Wilder-Tack (grendzy) of the Drupal security team
  • Mike Carter (budda), module maintainer

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure code for Drupal, and secure configuration of your site.