Drupal Security TeamDRUPAL-SA-CONTRIB-2013-050SA-CONTRIB-2013-050 - Webform - Cross Site Scripting (XSS)
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
99.7%
The Webform module allows the creation of custom webforms and surveys.
Webform module does not sanitize the labels of created components (fields) when displaying a list of components to be used in e-mails or downloaded CSV files.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “edit own webform content” or “edit all webform content”.
CVE identifier(s) issued
- CVE-2013-2129
Versions affected
- Webform 6.x-3.x versions prior to 6.x-3.19.
Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.
Solution
If you use the Webform module for Drupal 6, install the latest version, Webform 6.x-3.19. Drupal 7 versions of this module are not affected.
Also see the Webform project page.
Reported by
Fixed by
- Nate Haug the module maintainer
- Justin C. Klein Keane
Coordinated by
- Greg Knaddison of the Drupal Security Team
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
99.7%