• Advisory ID: DRUPAL-SA-CONTRIB-2009-074
  • Project: Webform (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-October-14
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities


Cross-site scripting

The Webform module enables the creation of custom forms for collecting data from users. The Webform module does not properly escape field labels in certain situations. A malicious user with permission to create webforms could attempt a cross-site scripting (XSS) attack when viewing the result, leading to the user gaining full administrative access.

Session data disclosure

The Webform module fails to prevent the page from being cached when a default value uses token placeholders. This leads to disclosure of session variables to anonymous users when caching is enabled.

Versions affected

  • Webform for Drupal 6.x prior to 6.x-2.8
  • Webform for Drupal 5.x prior to 5.x-2.8

Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.


Upgrade to the latest version:

See also the Webform project page.

Reported by

The XSS issue was reported by Justine Klein Keane.
The session disclosure issue was reported by seattlehimay.

Fixed by

The XSS issue was fixed by Greg Knaddison of the Drupal Security Team.
The session disclosure issue was fixed by Nathan Haug, the module maintainer.


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.