DRUPAL-CONTRIB-2020-013

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/webform/DRUPAL-CONTRIB-2020-013.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2020-013

Published

2020-05-06T16:50:39Z

Modified

2025-12-10T23:33:25.433112Z

Summary

[none]

Details

The Webform module allows site builders to create forms.

The module doesn't sufficiently prevent malicious code from being render via an options elements (i.e select menu, checkboxes, radios, etc...) under the scenario where the site builder allows the raw option value to be displayed.

This vulnerability is mitigated by the fact that site builder must be allowed to build webform and select raw as the options element's submission display.

References

https://www.drupal.org/sa-contrib-2020-013

Credits

- Dan Chadwick
- - https://www.drupal.org/user/504278

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/webform

Package

Name: drupal/webform
Purl: pkg:composer/drupal/webform

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

5.11.0

Database specific

{
    "constraint": "<5.11.0"
}

Database specific

affected_versions

"<5.11.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/webform/DRUPAL-CONTRIB-2020-013.json"