CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
99.7%
The Webform module allows the creation of custom webforms and surveys.
Webform module does not sanitize the labels of created components (fields) when displaying a list of components to be used in e-mails or downloaded CSV files.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “edit own webform content” or “edit all webform content”.
Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.
If you use the Webform module for Drupal 6, install the latest version, Webform 6.x-3.19. Drupal 7 versions of this module are not affected.
Also see the Webform project page.