[Security-news] SA-CONTRIB-2009-050 - Webform report - Cross site scripting

security-news at drupal.org security-news at drupal.org
Wed Aug 5 17:34:07 UTC 2009


  * Advisory ID: DRUPAL-SA-CONTRIB-2009-050
  * Project: Webform report (third-party module)
  * Version: All
  * Date: 2009-Aug-5
  * Security risk: Less critical
  * Exploitable from: Remote
  * Vulnerability: Cross site scripting

-------- DESCRIPTION  
---------------------------------------------------------

Webform report [1] allows users to create simple, dynamic reports based on
data collected by the webform module. When displaying the results of Webform
submissions, the module does not properly escape user entered data, leading
to a cross-site scripting [2] (XSS) vulnerability.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Webform for Drupal 5.x
  * Webform for Drupal 6.x

Drupal core is not affected. If you do not use the contributed webform report
module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

There is no solution available. Please disable the module and remove it from
your server.
-------- REPORTED BY  
---------------------------------------------------------

Stéphane Corlosquet [3]
-------- CONTACT  
-------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://drupal.org/project/webform_report
[2] http://en.wikipedia.org/wiki/Cross-site_scripting
[3] http://drupal.org/user/52142



More information about the Security-news mailing list