Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096
  • Date: Wed, 11 Dec 2019 19:58:15 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2019-096

Project: Webform [1]
Version: 
7.x-4.207.x-4.20-rc17.x-4.197.x-4.19-rc17.x-4.187.x-4.18-rc17.x-4.177.x-4.17-rc17.x-4.167.x-4.16-rc17.x-4.157.x-4.15-rc17.x-4.147.x-4.137.x-4.127.x-4.117.x-4.107.x-4.97.x-4.87.x-4.77.x-4.67.x-4.57.x-4.47.x-4.37.x-4.27.x-4.17.x-4.07.x-4.0-rc67.x-4.0-rc57.x-4.0-rc47.x-4.0-rc37.x-4.0-rc27.x-4.0-rc17.x-4.0-beta37.x-4.0-beta27.x-4.0-beta17.x-4.0-alpha107.x-4.0-alpha97.x-4.0-alpha87.x-4.0-alpha77.x-4.0-alpha67.x-4.0-alpha57.x-4.0-alpha47.x-4.0-alpha37.x-4.0-alpha27.x-4.0-alpha17.x-3.28-rc17.x-3.277.x-3.27-rc17.x-3.267.x-3.26-rc17.x-3.257.x-3.247.x-3.237.x-3.227.x-3.217.x-3.207.x-3.197.x-3.187.x-3.177.x-3.167.x-3.157.x-3.137.x-3.127.x-3.117.x-3.107.x-3.97.x-3.87.x-3.77.x-3.67.x-3.4-beta17.x-3.3-beta17.x-3.0-beta87.x-3.0-beta77.x-3.0-beta67.x-3.0-beta57.x-3.0-beta47.x-3.0-beta37.x-3.0-beta2
Date: 2019-December-11
Security risk: *Critical* 15∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Multiple vulnerabilities

Description: 
This module enables you to create forms to collect information from users and
report, analyze and distribute it by email.

The 7.x-3.x module doesn't sufficiently sanitize token values taken from
query strings. If a query string token is used as the value of a markup
component, an attacker can inject JavaScript into a page.

The 7.x-4.x module doesn't sufficiently protect against an attacker changing
the submission identifier of a draft webform, thereby overwriting another
user's submission. Confidential information is not disclosed, but information
can be overwritten and therefore lost or forged.

The 7.x-4.x vulnerability is mitigated by the fact that an attacker must have
a role with permission to submit a webform and the webform must have the
advanced form setting of either 'Show "Save draft" button' and/or
"Automatically save as draft between pages and when there are validation
errors". Neither of these two options are enabled by default. Anonymous users
cannot submit drafts and therefore cannot exploit this vulnerability.

Solution: 
Install the latest version:

* If you use the Webform 3.x module for Drupal 7.x, upgrade to Webform
7.x-3.29 [3] or to Webform 7.x-4.21.
* If you use the Webform 4.x module for Drupal 7.x, upgrade to Webform
7.x-4.21 [4]

Reported By: 
* Robin De Herdt [5]
* Ayesh Karunaratne [6]

Fixed By: 
* Robin De Herdt [7]
* Ayesh Karunaratne [8]
* Liam Morland [9]
* Dan Chadwick [10]
* Roman Zimmermann [11]

Coordinated By: 
* Greg Knaddison [12] of the Drupal Security Team
* Michael Hess [13] of the Drupal Security Team


[1] https://www.drupal.org/project/webform
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/webform/releases/7.x-3.29
[4] https://www.drupal.org/project/webform/releases/7.x-4.21
[5] https://www.drupal.org/user/3555113
[6] https://www.drupal.org/user/796148
[7] https://www.drupal.org/user/3555113
[8] https://www.drupal.org/user/796148
[9] https://www.drupal.org/user/493050
[10] https://www.drupal.org/user/504278
[11] https://www.drupal.org/user/865256
[12] https://www.drupal.org/u/greggles
[13] https://www.drupal.org/u/mlhess

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096, security-news, 11.12.2019

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang