* Advisory ID: DRUPAL-SA-CONTRIB-2009-050 * Project: Webform report (third-party module) * Version: All * Date: 2009-Aug-5 * Security risk: Less critical * Exploitable from: Remote * Vulnerability: Cross site scripting
-------- DESCRIPTION ---------------------------------------------------------
Webform report [1] allows users to create simple, dynamic reports based on data collected by the webform module. When displaying the results of Webform submissions, the module does not properly escape user entered data, leading to a cross-site scripting [2] (XSS) vulnerability. -------- VERSIONS AFFECTED ---------------------------------------------------
* Webform for Drupal 5.x * Webform for Drupal 6.x
Drupal core is not affected. If you do not use the contributed webform report module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
There is no solution available. Please disable the module and remove it from your server. -------- REPORTED BY ---------------------------------------------------------
Stéphane Corlosquet [3] -------- CONTACT -------------------------------------------------------------
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://drupal.org/project/webform_report [2] http://en.wikipedia.org/wiki/Cross-site_scripting [3] http://drupal.org/user/52142