- Advisory ID: DRUPAL-SA-CONTRIB-2011-014
- Project: Webform Block (third-party module)
- Version: 6.x
- Date: 2011-March-23
- Security risk: Moderately critical (definition of risk levels)
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
The Webform Block module enables users to make a webform available as a block.
The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting (XSS) vulnerability that may lead to a malicious user gaining full administrative access.
The vulnerability is mitigated by the fact that a malicious user must be assigned a role that includes permission to create and/or edit webforms.
Versions affected
- Webform Block module for Drupal 6.x versions prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed Webform Block module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Webform Block module for Drupal 6.x upgrade to Webform Block 6.x-1.2
See also the Webform Block project page.
Reported by
- Dylan Wilder-Tack (grendzy) of the Drupal security team
Fixed by
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure code for Drupal, and secure configuration of your site.