[Security-news] Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-013
security-news at drupal.org
security-news at drupal.org
Wed May 6 17:25:22 UTC 2020
View online: https://www.drupal.org/sa-contrib-2020-013
Project: Webform [1]
Date: 2020-May-06
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting
Description:
The Webform module allows site builders to create forms.
The module doesn't sufficiently prevent malicious code from being render via
an options elements (i.e select menu, checkboxes, radios, etc...) under the
scenario where the site builder allows the raw option value to be displayed.
This vulnerability is mitigated by the fact that site builder must be allowed
to build webform and select raw as the options element's submission display.
Solution:
Install the latest version:
* If you use the Webform module for Drupal 8, upgrade to Webform 8.x-5.11
[3]
Also see the Webform [4] project page.
Reported By:
* Dan Chadwick [5]
Fixed By:
* Jacob Rockowitz [6]
* Dan Chadwick [7]
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/webform
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/webform/releases/8.x-5.11
[4] https://www.drupal.org/project/webform
[5] https://www.drupal.org/user/504278
[6] https://www.drupal.org/user/371407
[7] https://www.drupal.org/user/504278
[8] https://www.drupal.org/user/36762
More information about the Security-news
mailing list