[Security-news] Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096
security-news at drupal.org
security-news at drupal.org
Wed Dec 11 19:58:15 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-096
Project: Webform [1]
Version: 7.x-4.207.x-4.20-rc17.x-4.197.x-4.19-rc17.x-4.187.x-4.18-rc17.x-4.177.x-4.17-rc17.x-4.167.x-4.16-rc17.x-4.157.x-4.15-rc17.x-4.147.x-4.137.x-4.127.x-4.117.x-4.107.x-4.97.x-4.87.x-4.77.x-4.67.x-4.57.x-4.47.x-4.37.x-4.27.x-4.17.x-4.07.x-4.0-rc67.x-4.0-rc57.x-4.0-rc47.x-4.0-rc37.x-4.0-rc27.x-4.0-rc17.x-4.0-beta37.x-4.0-beta27.x-4.0-beta17.x-4.0-alpha107.x-4.0-alpha97.x-4.0-alpha87.x-4.0-alpha77.x-4.0-alpha67.x-4.0-alpha57.x-4.0-alpha47.x-4.0-alpha37.x-4.0-alpha27.x-4.0-alpha17.x-3.28-rc17.x-3.277.x-3.27-rc17.x-3.267.x-3.26-rc17.x-3.257.x-3.247.x-3.237.x-3.227.x-3.217.x-3.207.x-3.197.x-3.187.x-3.177.x-3.167.x-3.157.x-3.137.x-3.127.x-3.117.x-3.107.x-3.97.x-3.87.x-3.77.x-3.67.x-3.4-beta17.x-3.3-beta17.x-3.0-beta87.x-3.0-beta77.x-3.0-beta67.x-3.0-beta57.x-3.0-beta47.x-3.0-beta37.x-3.0-beta2
Date: 2019-December-11
Security risk: *Critical* 15∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Multiple vulnerabilities
Description:
This module enables you to create forms to collect information from users and
report, analyze and distribute it by email.
The 7.x-3.x module doesn't sufficiently sanitize token values taken from
query strings. If a query string token is used as the value of a markup
component, an attacker can inject JavaScript into a page.
The 7.x-4.x module doesn't sufficiently protect against an attacker changing
the submission identifier of a draft webform, thereby overwriting another
user's submission. Confidential information is not disclosed, but information
can be overwritten and therefore lost or forged.
The 7.x-4.x vulnerability is mitigated by the fact that an attacker must have
a role with permission to submit a webform and the webform must have the
advanced form setting of either 'Show "Save draft" button' and/or
"Automatically save as draft between pages and when there are validation
errors". Neither of these two options are enabled by default. Anonymous users
cannot submit drafts and therefore cannot exploit this vulnerability.
Solution:
Install the latest version:
* If you use the Webform 3.x module for Drupal 7.x, upgrade to Webform
7.x-3.29 [3] or to Webform 7.x-4.21.
* If you use the Webform 4.x module for Drupal 7.x, upgrade to Webform
7.x-4.21 [4]
Reported By:
* Robin De Herdt [5]
* Ayesh Karunaratne [6]
Fixed By:
* Robin De Herdt [7]
* Ayesh Karunaratne [8]
* Liam Morland [9]
* Dan Chadwick [10]
* Roman Zimmermann [11]
Coordinated By:
* Greg Knaddison [12] of the Drupal Security Team
* Michael Hess [13] of the Drupal Security Team
[1] https://www.drupal.org/project/webform
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/webform/releases/7.x-3.29
[4] https://www.drupal.org/project/webform/releases/7.x-4.21
[5] https://www.drupal.org/user/3555113
[6] https://www.drupal.org/user/796148
[7] https://www.drupal.org/user/3555113
[8] https://www.drupal.org/user/796148
[9] https://www.drupal.org/user/493050
[10] https://www.drupal.org/user/504278
[11] https://www.drupal.org/user/865256
[12] https://www.drupal.org/u/greggles
[13] https://www.drupal.org/u/mlhess
More information about the Security-news
mailing list