Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-050
- Project: Webform report (third-party module)
- Version: All
- Date: 2009-Aug-5
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
Description
Webform report allows users to create simple, dynamic reports based on data collected by the webform module. When displaying the results of Webform submissions, the module does not properly escape user entered data, leading to a cross-site scripting (XSS) vulnerability.
Versions affected
- Webform report for Drupal 5.x
- Webform report for Drupal 6.x
Drupal core is not affected. If you do not use the contributed webform report module, there is nothing you need to do.
Solution
There is no solution available. Please disable the module and remove it from your server.
Reported by
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
