Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2008-024
- Project: Webform (third-party module)
- Version: 5.x, 6.x
- Date: 2008-April-03
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
Description
The contributed webform module provides a webform nodetype. Typical uses for webform are to create questionnaires, contact or request/register forms, surveys, polls or a front end to issues tracking systems.
On several points in the codebase, user-supplied data is not escaped before it is displayed. This allows users to inject arbitrary HTML and scripts into pages, which may lead to administrator access when certain conditions are met.
Wikipedia has more information about cross site scripting (XSS).
Versions affected
- Webform for Drupal 5.x prior to 5.x-1.10
- Webform for Drupal 5.x prior to 5.x-2.0-beta3
- Webform for Drupal 6.x prior to 6.x-1.0-beta3
Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Drupal 5.x-1.x install Webform 5.x-1.10.
- If you use Drupal 5.x-2.x install Webform 5.x-2.0-beta3.
- If you use Drupal 6.x install Webform 6.x-1.0-beta3.
See also the Webform project page.
Reported by
cwgordon7 of the Drupal security team.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
