View online: https://www.drupal.org/sa-contrib-2020-013

Project: Webform [1] Date: 2020-May-06 Security risk: *Moderately critical* 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting

Description:  The Webform module allows site builders to create forms.

The module doesn't sufficiently prevent malicious code from being render via an options elements (i.e select menu, checkboxes, radios, etc...) under the scenario where the site builder allows the raw option value to be displayed.

This vulnerability is mitigated by the fact that site builder must be allowed to build webform and select raw as the options element's submission display.

Solution:  Install the latest version:

* If you use the Webform module for Drupal 8, upgrade to Webform 8.x-5.11 [3]

Also see the Webform [4] project page.

Reported By:  * Dan Chadwick [5]

Fixed By:  * Jacob Rockowitz [6] * Dan Chadwick [7]

Coordinated By:  * Greg Knaddison [8] of the Drupal Security Team

[1] https://www.drupal.org/project/webform [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/webform/releases/8.x-5.11 [4] https://www.drupal.org/project/webform [5] https://www.drupal.org/user/504278 [6] https://www.drupal.org/user/371407 [7] https://www.drupal.org/user/504278 [8] https://www.drupal.org/user/36762