- Advisory ID: DRUPAL-SA-CONTRIB-2009-074
- Project: Webform (third-party module)
- Version: 5.x, 6.x
- Date: 2009-October-14
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
The Webform module enables the creation of custom forms for collecting data from users. The Webform module does not properly escape field labels in certain situations. A malicious user with permission to create webforms could attempt a cross-site scripting (XSS) attack when viewing the result, leading to the user gaining full administrative access.
Session data disclosure
The Webform module fails to prevent the page from being cached when a default value uses token placeholders. This leads to disclosure of session variables to anonymous users when caching is enabled.
- Webform for Drupal 6.x prior to 6.x-2.8
- Webform for Drupal 5.x prior to 5.x-2.8
Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.
Upgrade to the latest version:
- If you use Webform for Drupal 6.x upgrade to Webform 6.x-2.8
- If you use Webform for Drupal 5.x upgrade to Webform 5.x-2.8
See also the Webform project page.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.