Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-014

Project:

Webform

Date:

2020-May-06

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross site scripting

Affected versions:

<5.11.0

Description:

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently filter user input under in the scenario when a webform is edited, namely the message related to character min/max counter does not undergo sufficient filtering and thus allows execution of JavaScript code through it.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit own webform" (or "Edit any webform").

Solution:

Install the latest version:

If you use the Webform module for Drupal 8, upgrade to Webform 8.x-5.11

Also see the Webform project page.

Reported By:

Krzysztof Domański

Fixed By:

Krzysztof Domański
Lee Rowlands of the Drupal Security Team
Jacob Rockowitz
bucefal91

Coordinated By:

Greg Knaddison of the Drupal Security Team

Contribution record

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

Contributing organizations for this advisory

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-014

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community