DRUPAL-CONTRIB-2020-015

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/webform/DRUPAL-CONTRIB-2020-015.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2020-015

Published

2020-05-06T16:55:06Z

Modified

2025-12-10T23:33:25.771852Z

Summary

[none]

Details

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently sanitize Webform labels nor visibility conditions under the scenario of placing a block. When a webform block is placed and visible on a website any JavaScript code contained within the webform's label was executed.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit own webform" (or "Edit any webform").

References

https://www.drupal.org/sa-contrib-2020-015

Credits

- Ide Braakman
- - https://www.drupal.org/user/1879760

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/webform

Package

Name: drupal/webform
Purl: pkg:composer/drupal/webform

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

5.11.0

Database specific

{
    "constraint": "<5.11.0"
}

Database specific

affected_versions

"<5.11.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/webform/DRUPAL-CONTRIB-2020-015.json"