View online: https://www.drupal.org/node/2445935
* Advisory ID: DRUPAL-SA-CONTRIB-2015-063 * Project: Webform [1] (third-party module) * Version: 6.x, 7.x * Date: 2015-March-04 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
Webform enables you to create surveys, personalized contact forms, contests, and the like.
-------- CROSS SITE SCRIPTING RELATED TO WEBFORM SUBMISSIONS -----------------
The module doesn't sufficiently escape user data presented to administrative users in the webform results table. This issue affects the 7.x-4.x branch only.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform and the administrative user must subsequently visit the webform's results table tab.
To mitigate this vulnerability, you can disable the view-based results table and restore the legacy hard-coded results table by adding this line to your settings.php file: <?php $conf['webform_table'] = TRUE; ?>
-------- CROSS SITE SCRIPTING RELATED TO BLOCKS ------------------------------
The module doesn't sufficiently escape node titles of webforms which administrators may make available as blocks and displayed to any user. This issue affects all 6.x and 7.x branches of the module.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to administer blocks and create or edit webform nodes.
-------- CVE IDENTIFIER(S) ISSUED --------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED ---------------------------------------------------
* webform 6.x versions prior to 6.x-3.22. * webform 7.x-3.x versions prior to 7.x-3.22. * webform 7.x-4.x versions prior to 7.x-4.4.
Drupal core is not affected. If you do not use the contributed Webform [4] module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the webform module for Drupal 6.x, upgrade to webform 6.x-3.22 [5] * If you use the webform module for Drupal 7.x, upgrade to webform 7.x-3.22 [6] or webform 7.x-4.4 [7]
Also see the Webform [8] project page.
-------- REPORTED BY ---------------------------------------------------------
* Dan Chadwick [9], the module maintainer
-------- FIXED BY ------------------------------------------------------------
* Dan Chadwick [10], the module maintainer
-------- COORDINATED BY ------------------------------------------------------
* Greg Knaddison [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/webform [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/webform [5] http://drupal.org/node/2445291 [6] http://drupal.org/node/2445295 [7] http://drupal.org/node/2445297 [8] https://www.drupal.org/project/webform [9] https://www.drupal.org/user/504278 [10] https://www.drupal.org/user/504278 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity