Downloads
Release notes
The Webform Multifile File Upload module contains a Remote Code Execution (RCE) vulnerability exists where form inputs will be unserialized and a specially crafted form input may trigger arbitrary code execution depending on the libraries available on a site.
This vulnerability is mitigated by the fact that an attacker must have the ability to submit a Webform with a Multiple File Input field. Further, a site must have an object defined with methods that are invoked at wake/destroy that include code that can be leveraged for malicious purposes (Drupal 7 Core contains one such class which can be used to delete arbitrary files).