Critical XSS & Access Bypass Vulnerability in Webform

Staff Reporter

The Drupal security team has issued on December 8th, 2021 critical cross-site scripting (XSS) and access bypass vulnerability for webform (SA-CONTRIB-2021-045).

The webform module enables you to build forms and surveys in Drupal.

Access Bypass

The webform module doesn't sufficiently check access for administrative features for webforms attached to nodes using the Webform Node module. This may reveal submitted data or allow an attacker to modify submitted data. Additionally, for sites with webforms that send emails and store submissions, this vulnerability would allow an attacker to use the site as an email relay (i.e. sending arbitrary emails).

There is no mitigation for this vulnerability. If you have the Webform Node module enabled you must update the Webform module.

Cross-Site Scripting

The Webform module doesn't sufficiently filter HTML when an element's 'Help title' and an 'Image Select' element's image text contain specially crafted malicious text.
This vulnerability is mitigated by the fact that an attacker must be able to create or edit webforms.

Solution

Install the latest version:

If you use the Webform module for Drupal 9.x, upgrade to Webform 6.1.2 or Webform 6.0.6
If you use the Webform module version 8.x-5.x it is affected by this issue and is unsupported. You should upgrade to Webform 6.

Source: Drupal.org

Click here to follow us on LinkedIn

Comment

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.

Drupal 9