Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-032
- Project: Webform (third-party module)
- Versions: 5.x, 6.x
- Date: 2009-June-03
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross-site scripting
Description
The Webform module provides a node type which is typically used to enable site visitors to fill in questionnaires, contact or request/registration forms, surveys, polls, or other forms on a Drupal site.
When displaying the results of Webform submissions, the module does not properly filter user entered data, leading to a cross-site scripting (XSS) vulnerability on sites with a specific configuration of input formats that would normally be safe.
Such an attack carried out against a sufficiently privileged user may lead a malicious user to gain administrator access to the site.
Versions affected
- Versions of Webform for Drupal 5.x prior to 5.x-2.7
- Versions of Webform for Drupal 6.x prior to 6.x-2.7
Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Webform for Drupal 5.x, upgrade to Webform 5.x-2.7.
- If you use Webform for Drupal 6.x, upgrade to Webform 6.x-2.7.
See also the Webform project page.
Reported by
Fixed by
Nathan Haug (quicksketch), and David Rothstein of the Drupal Security Team
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
