SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS)

Webform enables you to create surveys, personalized contact forms, contests, and the like.

Cross Site Scripting Related to Webform Submissions

The module doesn’t sufficiently escape user data presented to administrative users in the webform results table. This issue affects the 7.x-4.x branch only.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform and the administrative user must subsequently visit the webform’s results table tab.

To mitigate this vulnerability, you can disable the view-based results table and restore the legacy hard-coded results table by adding this line to your settings.php file:

 $conf['webform_table'] = TRUE; 

Cross Site Scripting Related to Blocks

The module doesn’t sufficiently escape node titles of webforms which administrators may make available as blocks and displayed to any user. This issue affects all 6.x and 7.x branches of the module.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to administer blocks and create or edit webform nodes.

CVE identifier(s) issued

• Cross Site Scripting related to Webform Submissions CVE-2015-4356 * Cross Site Scripting related to Blocks:CVE-2015-4357

Versions affected

• webform 6.x versions prior to 6.x-3.22.
• webform 7.x-3.x versions prior to 7.x-3.22.
• webform 7.x-4.x versions prior to 7.x-4.4.

Drupal core is not affected. If you do not use the contributed Webform module,
there is nothing you need to do.

Solution

Install the latest version:

• If you use the webform module for Drupal 6.x, upgrade to webform 6.x-3.22
• If you use the webform module for Drupal 7.x, upgrade to webform 7.x-3.22 or webform 7.x-4.4

Also see the Webform project page.

Reported by

• Dan Chadwick, the module maintainer

Fixed by

• Dan Chadwick, the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team