Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096

Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096

Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096
Project: Webform
Versions: 7.x-4.x, 7.x-3.x
Date: 2019-December-11
Security risk: Critical 15∕25 
Vulnerability: Multiple vulnerabilities

Description

This module enables you to create forms to collect information from users and report, analyze and distribute it by email.

The 7.x-3.x module doesn't sufficiently sanitize token values taken from query strings. If a query string token is used as the value of a markup component, an attacker can inject JavaScript into a page.

The 7.x-4.x module doesn't sufficiently protect against an attacker changing the submission identifier of a draft webform, thereby overwriting another user's submission. Confidential information is not disclosed, but information can be overwritten and therefore lost or forged.

The 7.x-4.x vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform and the webform must have the advanced form setting of either 'Show "Save draft" button' and/or "Automatically save as draft between pages and when there are validation errors". Neither of these two options are enabled by default. Anonymous users cannot submit drafts and therefore cannot exploit this vulnerability.

Solution

Install the latest version:

If you use the Webform 3.x module for Drupal 7.x, upgrade to Webform 7.x-3.29 or to Webform 7.x-4.21.
If you use the Webform 4.x module for Drupal 7.x, upgrade to Webform 7.x-4.21

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.