XSS vulnerability in webform module

• Advisory ID: DRUPAL-SA-2006-010
• Project: webform
• Date: 2006-Jul-09
• Security risk: critical
• Impact: webform
• Exploitable from: remote
• Vulnerability: multiple cross-site scripting

Description

It is possible for a malicious user to insert and execute XSS into webform pages, due to lack of validation on output.

Versions affected

All webform 4.6 and 4.7 versions prior to July 8, 2006.

Drupal core is not affected. If you do not use the webform module, there is nothing you need to do.

Solution

Download the latest release of webform:

• webform-4.6.0.tar.gz
• webform-4.7.0.tar.gz

Reported by

Heine Deelstra

Contact

The security contact for Drupal can be reached at security at drupal.org or using the form at http://drupal.org/contact.