Downloads

Download tar.gz 137.68 KB
MD5: 138aae51fe4d5010b4baf02dcda15c74
SHA-1: 83440e33470652b725da9ac69161c457b4e44bad
SHA-256: 6c69c24957133b41166381e5dda452198aac88a276ba48753282b5e3c472a8e8
Download zip 173.54 KB
MD5: 4d3226e670bbfbaf62e1675aa54607df
SHA-1: 818221a5ee9a8581667699c0ce50dffaac634428
SHA-256: 46665e8b1a83ebd8946dc0b172d293419c7f3f79883dfb82aa9c3933d03b75b6

Release notes

This release of 6.x-3.x fixes one security issue. Updating is strongly recommended for all Drupal 6 webform users.
See SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS) for details.

Security issue

When a webform is made available as a block, the node's title is used as the default block title. This title is not sufficiently sanitized, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to administer blocks and create or edit webform nodes.

Changes since 6.x-3.21:

  • #SA-152635 by DanChadwick: Fixed default block title.
Created by: danchadwick
Created on: 3 Mar 2015 at 18:10 UTC
Last updated: 1 Aug 2018 at 23:53 UTC
Git tag 6.x-3.22
Security update
Insecure
Unsupported

Other releases