[IT-SecNots] [Security-news] Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-013

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2020-013

Project: Webform [1]
Date: 2020-May-06
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting

Description: 
The Webform module allows site builders to create forms.

The module doesn't sufficiently prevent malicious code from being render via
an options elements (i.e select menu, checkboxes, radios, etc...) under the
scenario where the site builder allows the raw option value to be displayed.

This vulnerability is mitigated by the fact that site builder must be allowed
to build webform and select raw as the options element's submission display.

Solution: 
Install the latest version:

  * If you use the Webform module for Drupal 8, upgrade to Webform 8.x-5.11
    [3]

Also see the Webform [4] project page.

Reported By: 
  * Dan Chadwick  [5]

Fixed By: 
  * Jacob Rockowitz  [6]
  * Dan Chadwick  [7]

Coordinated By: 
  * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/webform
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/webform/releases/8.x-5.11
[4] https://www.drupal.org/project/webform
[5] https://www.drupal.org/user/504278
[6] https://www.drupal.org/user/371407
[7] https://www.drupal.org/user/504278
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news