Vulnerability from drupal
Access Bypass:
This module enables you to build forms and surveys in Drupal.
The module doesn't sufficiently check access for administrative features for webforms attached to nodes using the Webform Node module. This may reveal submitted data or allow an attacker to modify submitted data. Additionally, for sites with webforms that send emails and store submissions this vulnerability would allow an attacker to use the site as an email relay (i.e. sending arbitrary emails).
There is no mitigation for this vulnerability. If you have the Webform Node module enabled you must update the Webform module.
Cross Site Scripting:
The Webform module enables site builders to create forms and surveys.
The Webform module doesn't sufficiently filter HTML when an element's 'Help title' and an 'Image Select' element's image text contain specially crafted malicious text.
This vulnerability is mitigated by the fact that an attacker must be able to create or edit webforms.
{
"affected": [
{
"database_specific": {
"affected_versions": "\u003e=6.0.0 \u003c6.0.6 || \u003e=6.1.0 \u003c6.1.2"
},
"package": {
"ecosystem": "Packagist:https://packages.drupal.org/8",
"name": "drupal/webform"
},
"ranges": [
{
"database_specific": {
"constraint": "\u003e=6.0.0 \u003c6.0.6"
},
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.6"
}
],
"type": "ECOSYSTEM"
},
{
"database_specific": {
"constraint": "\u003e=6.1.0 \u003c6.1.2"
},
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "6.1.2"
}
],
"type": "ECOSYSTEM"
}
],
"severity": []
}
],
"aliases": [],
"credits": [
{
"contact": [
"https://www.drupal.org/user/3580554"
],
"name": "Adam P"
},
{
"contact": [
"https://www.drupal.org/user/2523544"
],
"name": "Madelyn Cruz"
},
{
"contact": [
"https://www.drupal.org/user/3132219"
],
"name": "Rohit Tiwari"
}
],
"details": "### Access Bypass:\n\nThis module enables you to build forms and surveys in Drupal.\n\nThe module doesn\u0027t sufficiently check access for administrative features for webforms attached to nodes using the Webform Node module. This may reveal submitted data or allow an attacker to modify submitted data. Additionally, for sites with webforms that send emails and store submissions this vulnerability would allow an attacker to use the site as an email relay (i.e. sending arbitrary emails).\n\nThere is no mitigation for this vulnerability. If you have the Webform Node module enabled you must update the Webform module.\n\n### Cross Site Scripting:\n\nThe Webform module enables site builders to create forms and surveys.\n\nThe Webform module doesn\u0027t sufficiently filter HTML when an element\u0027s \u0027Help title\u0027 and an \u0027Image Select\u0027 element\u0027s image text contain specially crafted malicious text.\n\nThis vulnerability is mitigated by the fact that an attacker must be able to create or edit webforms.",
"id": "DRUPAL-CONTRIB-2021-045",
"modified": "2023-08-11T16:48:31.000Z",
"published": "2021-12-08T18:02:44.000Z",
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2021-045"
}
],
"schema_version": "1.7.0"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.