Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.This module has an XSS vulnerability.
You can see this vulnerability by:
1. Enable Webform and Webform Multiple File Upload
2. Create a Node with node type Webform
3. Add a new Multifile type field
4. Disable file type validation from the UI
3. Upload file using that field with a file that includes XSS attack in the name of the file, for example: "><img src=1 onerror=alert(document.domain)>
The XSS vulnerability is in a 3rd party library and it has been fixed here https://github.com/fyneworks/multifile/pull/44.
Originally reported by lauriii
| Comment | File | Size | Author |
|---|---|---|---|
| webform_multifile.patch | 781 bytes | dsnopek |
Comments
Comment #2
dsnopekComment #3
mustanggb commentedThis is already fixed upstream, duplicate of #2881332: Use Multifile 2.x Library.