<div dir="ltr">View online: <a href="https://www.drupal.org/sa-contrib-2021-045" rel="noreferrer" target="_blank">https://www.drupal.org/sa-contrib-2021-045</a><br><br>Project: Webform [1]<br>Date: 2021-December-08<br>Security risk: *Critical* 16∕25<br>AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]<br>Vulnerability: Cross Site Scripting, Access Bypass<br><br>Description: <br>.... Access Bypass:<br><br>This module enables you to build forms and surveys in Drupal.<br><br>The module doesn't sufficiently check access for administrative features for<br>webforms attached to nodes using the Webform Node module. This may reveal<br>submitted data or allow an attacker to modify submitted data.<br><br>There is no mitigation for this vulnerability. If you have the Webform Node<br>module enabled you must update the Webform module.<br><br>.... Cross Site Scripting:<br><br>The Webform module enables site builders to create forms and surveys.<br><br>The Webform module doesn't sufficiently filter HTML when an element's 'Help<br>title' and an 'Image Select' element's image text contain specially crafted<br>malicious text.<br><br>This vulnerability is mitigated by the fact that an attacker must be able to<br>create or edit webforms.<br><br>Solution: <br>Install the latest version:<br><br>   * If you use the Webform module for Drupal 9.x, upgrade to Webform 6.1.2<br>[3]<br>     or Webform 6.0.6 [4]<br>   * If you use the Webform module version 8.x-5.x it is affected by this<br>issue<br>     and is unsupported. You should upgrade to Webform 6.<br><br>Reported By: <br>.... Access Bypass:<br><br>   * Adam P [5]<br>   * Madelyn Cruz [6]<br><br>.... Cross Site Scripting:<br><br>   * Rohit Tiwari [7]<br><br>Fixed By: <br>.... Access Bypass:<br><br>   * Chris McCafferty [8] of the Drupal Security Team<br>   * Greg Knaddison [9] of the Drupal Security Team<br>   * Jacob Rockowitz [10]<br>   * Adam P [11]<br>   * Lee Rowlands [12] of the Drupal Security Team<br><br>.... Cross Site Scripting:<br><br>   * Jacob Rockowitz [13]<br><br>Coordinated By: <br>   * Chris [14] of the Drupal Security Team<br>   * Greg Knaddison [15] of the Drupal Security Team<br>   * Damien McKenna [16] of the Drupal Security Team<br><br><br>[1] <a href="https://www.drupal.org/project/webform" rel="noreferrer" target="_blank">https://www.drupal.org/project/webform</a><br>[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>[3] <a href="https://www.drupal.org/project/webform/releases/6.1.2" rel="noreferrer" target="_blank">https://www.drupal.org/project/webform/releases/6.1.2</a><br>[4] <a href="https://www.drupal.org/project/webform/releases/6.0.6" rel="noreferrer" target="_blank">https://www.drupal.org/project/webform/releases/6.0.6</a><br>[5] <a href="https://www.drupal.org/user/3580554" rel="noreferrer" target="_blank">https://www.drupal.org/user/3580554</a><br>[6] <a href="https://www.drupal.org/user/2523544" rel="noreferrer" target="_blank">https://www.drupal.org/user/2523544</a><br>[7] <a href="https://www.drupal.org/user/3132219" rel="noreferrer" target="_blank">https://www.drupal.org/user/3132219</a><br>[8] <a href="https://www.drupal.org/user/1850070" rel="noreferrer" target="_blank">https://www.drupal.org/user/1850070</a><br>[9] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>[10] <a href="https://www.drupal.org/user/371407" rel="noreferrer" target="_blank">https://www.drupal.org/user/371407</a><br>[11] <a href="https://www.drupal.org/user/3580554" rel="noreferrer" target="_blank">https://www.drupal.org/user/3580554</a><br>[12] <a href="https://www.drupal.org/user/395439" rel="noreferrer" target="_blank">https://www.drupal.org/user/395439</a><br>[13] <a href="https://www.drupal.org/user/371407" rel="noreferrer" target="_blank">https://www.drupal.org/user/371407</a><br>[14] <a href="https://www.drupal.org/user/1850070" rel="noreferrer" target="_blank">https://www.drupal.org/user/1850070</a><br>[15] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>[16] <a href="https://www.drupal.org/user/108450" rel="noreferrer" target="_blank">https://www.drupal.org/user/108450</a><br><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div></div></div>