This module has an access bypass vulnerability.
You can see this vulnerability by:
1. Enabling the module
2. Create a new webform report and leave "promote to front page" checked
3. Submissions from that webform can now be viewed at /rss.xml even if the frontpage view is disabled and the user doesn't have "Access Webform Reports" permission (i.e. anonymous uses can view it)
4. If the webform contains user submitted names, phone, email, etc it's now viewable and indexable by search engines
It appears this is due to there being no access checks in hook_view().
Originally reported by jphelan.
Comments
Comment #2
dsnopekComment #3
origami commentedI'm not able to reproduce the issue. I use this module and I want to make sure it's secure but I'm not seeing any webform submitted data in rss.xml. Are there any other steps or settings?