Webform - Critical - Cross Site Scripting, Access Bypass - SA-CONTRIB-2021-045

Project: WebformDate: 2021-December-08Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Scripting, Access BypassDescription: Access Bypass:
This module enables you to build forms and surveys in Drupal.
The module doesn't sufficiently check access for administrative features for webforms attached to nodes using the Webform Node module. This may reveal submitted data or allow an attacker to modify submitted data.
There is no mitigation for this vulnerability. If you have the Webform Node module enabled you must update the Webform module.
Cross Site Scripting:
The Webform module enables site builders to create forms and surveys.
The Webform module doesn't sufficiently filter HTML when an element's 'Help title' and an 'Image Select' element's image text contain specially crafted malicious text.
This vulnerability is mitigated by the fact that an attacker must be able to create or edit webforms.Solution: Install the latest version:

  • If you use the Webform module for Drupal 9.x, upgrade to Webform 6.1.2 or Webform 6.0.6
  • If you use the Webform module version 8.x-5.x it is affected by this issue and is unsupported. You should upgrade to Webform 6.

Reported By: Access Bypass:

Cross Site Scripting:

Fixed By: Access Bypass:

Cross Site Scripting:

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2021-045