• Advisory ID: DRUPAL-SA-CONTRIB-2012-171
  • Project: Webmail Plus (third-party module)
  • Version: 6.x
  • Date: 2012-November-28
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: SQL Injection


The Webmail plus module is a full-featured email client for Drupal. It's designed to provide email for any or all members of a Drupal site.

The module doesn't sufficiently sanitize user input as it is used in a database query.

CVE: CVE-2012-5590

Versions affected

  • All Webmail Plus module versions.

Drupal core is not affected. If you do not use the contributed Webmail Plus module, there is nothing you need to do.


Uninstall the module:

  • If you use the Webmail Plus module you should disable the module.

Also see the Webmail Plus project page.

Reported by

  • Fox of the Drupal Security Team

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.